TensorRT MultilevelCropAndResize threshold PoC

This public repository contains a benign security research PoC for a TensorRT Model File Vulnerability report.

Files:

  • control_multilevelcrop.engine: control TensorRT engine with serialized MultilevelCropAndResize_TRT mThresh=12544.0.
  • malicious_threshold_zero.engine: crafted TensorRT engine with serialized MultilevelCropAndResize_TRT mThresh=0.0.
  • reproduce.py: runs both engines through TensorRT inference and prints the output delta.

Tested environment:

  • TensorRT 11.1.0.106
  • modelscan 0.8.8
  • Entry point: trt.Runtime(logger).deserialize_cuda_engine(...), then ctx.execute_async_v3(0)

Reproduction:

python reproduce.py \
  --control control_multilevelcrop.engine \
  --malicious malicious_threshold_zero.engine

Expected result:

  • Control output prefix: [10.0, 10.0, 10.0, 10.0, ...]
  • Malicious output prefix: [50.0, 50.0, 50.0, 50.0, ...]

The malicious engine silently reroutes ROIAlign sampling from the expected FPN feature level to another feature level while the engine loads and executes.

Scanner result:

modelscan 0.8.8: No issues found
Skipped: Model Scan did not scan file
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support