Hugging Face's logo

wladislax
/
tensorrt-deserialize-oob-poc

TensorRT
security
vulnerability-research
proof-of-concept
not-a-model
Model card Files
xet
 Community

⚠️ Security PoC β€” NOT a usable model

This repository contains proof-of-concept malformed NVIDIA TensorRT engine files submitted to the huntr "Model Format Vulnerability" program (Protect AI / Palo Alto Prisma AIRS). They are not functional models. They deliberately trigger a memory-safety crash in TensorRT's deserializer and are published solely for responsible-disclosure reproduction.

What it demonstrates

Loading either file with IRuntime::deserializeCudaEngine crashes the process inside nvinfer during deserialization of the model file (before any inference runs). Each PoC is a valid TensorRT engine with a single 4-byte field overwritten.

File Trigger Effect
poc_oob_read.engine 32-bit field @ file offset 0x144 set to 0x7FFFFFFF Out-of-bounds READ β†’ access violation at nvinfer_11.dll+0x72187D (fault addr 0xFFFFFFFFFFFFFFFF)
poc_oob_read2.engine fields @ 0x2C=0x10 and 0x34=0x7FFFFFFF Distinct OOB READ (heap-relative) β†’ access violation at nvinfer_11.dll+0x7031E9; evades section-field validation
poc_oom_dos.engine 32-bit field @ file offset 0x1F8 set to 0x7FFFFFFF Unbounded allocation β†’ LLVM ERROR: out of memory β†’ abort (DoS)

Reproduced on TensorRT 11.1.0.106 (tensorrt-cu13, the latest release), CUDA 13.2, NVIDIA RTX 5080 (Blackwell, sm_120), Windows 11, Python 3.12 β€” i.e. a version newer than the fix for CVE-2026-24188, so this is a distinct defect.

The same files are reported clean by Protect AI ModelScan 0.8.8 (total_scanned: 0, total_issues: 0) β€” the scanner does not recognize the .engine format and silently skips it.

Reproduce

Requires an NVIDIA GPU. TensorRT engines are version/architecture specific, so the header encodes the TRT version (11.1.0.106) and GPU compute capability (sm_120). There are two repro paths:

A) Direct (best on TensorRT 11.1.0.106 + a Blackwell sm_120 GPU like our setup):

python -m venv .venv
.venv/Scripts/pip install tensorrt --extra-index-url https://pypi.nvidia.com   # Linux: .venv/bin/pip
python repro.py poc_oob_read.engine

B) Regenerate on your own hardware (robust across GPUs running TensorRT 11.1.x):

python build_baseline.py          # builds baseline.engine for YOUR GPU/TRT
python make_poc.py                # applies the same 4-byte diffs @0x144 / @0x1F8
python repro.py poc/poc_oob_read.engine

The process dies with an access violation (0xC0000005). A benign engine prints a normal result. The trigger offsets 0x144 / 0x1F8 were derived for the baseline produced by build_baseline.py on TensorRT 11.1.0.106; on a different TRT minor version, rebuild with path B so the offsets match.

Files

  • poc_oob_read.engine β€” OOB-read crash PoC (prebuilt, TRT 11.1.0.106 / sm_120)
  • poc_oob_read2.engine β€” 2nd distinct OOB-read PoC (prebuilt)
  • poc_oom_dos.engine β€” OOM/DoS PoC (prebuilt)
  • build_baseline.py β€” builds a minimal valid baseline engine for your hardware
  • make_poc.py β€” deterministic PoC generator (shows the exact 4-byte diff)
  • repro.py β€” minimal loader that crashes on the PoC
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support