PoC β€” ExecuTorch (.pte) out-of-bounds read in Program::load β†’ SIGSEGV

Security-research PoC for the huntr Model File Vulnerability (MFV) program (ExecuTorch format). Loading a malformed .pte with the standard _load_for_executorch loader (default verification) triggers an OOB read (CWE-125) in executorch::runtime::Program::load β†’ runtime crash.

Affected: executorch 1.3.1 (latest) + torch 2.12.1. This is a distinct, residual OOB on a version ~9 minor releases past CVE-2025-54950 (fixed in 0.7.0) β€” the bounds-hardening does not cover this flatbuffer offset.

Files

  • control.pte β€” benign model (loads + runs clean).
  • model.pte β€” malicious (= control with bytes[64:68] 0x14000000 β†’ 0xFFFFFFFF, one flatbuffer uoffset).
  • build_poc.py β€” derives model.pte from control.pte (single offset patch).
  • repro.py β€” standard documented loader, default verification.

Reproduce

pip install executorch
python repro.py control.pte   # LOADED / RAN_OK  (rc 0)
python repro.py model.pte     # SIGSEGV (rc 139) β€” OOB read in Program::load

Crash fires during metadata resolution (no inference needed). For defensive/research use only.

Downloads last month
14
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support