PoC β ExecuTorch (.pte) out-of-bounds read in Program::load β SIGSEGV
Security-research PoC for the huntr Model File Vulnerability (MFV) program (ExecuTorch format).
Loading a malformed .pte with the standard _load_for_executorch loader (default verification)
triggers an OOB read (CWE-125) in executorch::runtime::Program::load β runtime crash.
Affected: executorch 1.3.1 (latest) + torch 2.12.1. This is a distinct, residual OOB on a version ~9 minor releases past CVE-2025-54950 (fixed in 0.7.0) β the bounds-hardening does not cover this flatbuffer offset.
Files
control.pteβ benign model (loads + runs clean).model.pteβ malicious (= control with bytes[64:68]0x14000000β0xFFFFFFFF, one flatbuffer uoffset).build_poc.pyβ derivesmodel.ptefromcontrol.pte(single offset patch).repro.pyβ standard documented loader, default verification.
Reproduce
pip install executorch
python repro.py control.pte # LOADED / RAN_OK (rc 0)
python repro.py model.pte # SIGSEGV (rc 139) β OOB read in Program::load
Crash fires during metadata resolution (no inference needed). For defensive/research use only.
- Downloads last month
- 14
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support