Hugging Face's logo

Alexexy
/
mymodel

Core ML
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

CoreML Span::Slice Integer Overflow PoC

CVE: Pending
Severity: High
Affected: coremltools 9.0 (macOS / Linux)

Vulnerability

Integer overflow in MILBlob::Util::Span::Slice (mlmodel/src/MILBlob/Util/Span.hpp:325) bypasses bounds checks when loading a CoreML mlProgram model with a crafted weight.bin. Results in out-of-bounds memory access β†’ SIGSEGV (process crash) on ct.models.MLModel().

// Bounds check in Span::Slice β€” NO overflow protection:
MILVerifyIsTrue(size > 0 && index < Size() && index + size <= Size(), ...)
//                                             ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑
// index=128, size=0xFFFFFFFFFFFFFF80 β†’ 128 + 0xFFFFFFFFFFFFFF80 = 0 β†’ PASSES

Files

  • evil_crash.mlpackage/ β€” malicious CoreML model with crafted weight.bin
  • poc.py β€” standalone PoC that loads the model and captures the crash

Reproduce 

pip install coremltools
python3.12 poc.py

Expected: Exit code: -11 (SIGSEGV β€” signal 11)

Reported By

Security research β€” huntr.dev disclosure

Downloads last month
1
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support