OpenVINO ConvolutionBackpropData allocation DoS PoC

This repository contains two valid OpenVINO IR XML/BIN model pairs that differ only in the ConvolutionBackpropData output_shape constant embedded in the model file.

Observed behavior with openvino==2026.2.1 under a 2 GiB address-space cap:

  • control model:
    • read_model() succeeds
    • compile_model() succeeds
    • inference succeeds with output shape [1, 1, 2, 2]
  • malicious model:
    • read_model() succeeds
    • compile_model() raises RuntimeError: Failed to allocate 360000000000000000 bytes of memory

Public repo:

  • Repo: https://huggingface.co/hacnho/openvino-convolution-backprop-data-allocation-dos-poc
  • Control XML: https://huggingface.co/hacnho/openvino-convolution-backprop-data-allocation-dos-poc/resolve/main/control_convolution_backprop_data_2.xml
  • Control BIN: https://huggingface.co/hacnho/openvino-convolution-backprop-data-allocation-dos-poc/resolve/main/control_convolution_backprop_data_2.bin
  • Malicious XML: https://huggingface.co/hacnho/openvino-convolution-backprop-data-allocation-dos-poc/resolve/main/malicious_convolution_backprop_data_300m.xml
  • Malicious BIN: https://huggingface.co/hacnho/openvino-convolution-backprop-data-allocation-dos-poc/resolve/main/malicious_convolution_backprop_data_300m.bin
  • Reproducer: https://huggingface.co/hacnho/openvino-convolution-backprop-data-allocation-dos-poc/resolve/main/reproduce.py
  • Repo state at verification time: private=false, commit <fill after upload>

Reproduction:

python3 build_poc.py
python3 reproduce.py
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support