TensorRT ScatterElements Invalid Reduction PoC

This is a benign security research PoC for a Huntr Model File Vulnerability report.

Files

  • scatterelements-invalid-reduction.engine: TensorRT engine with a legacy ScatterElements v1 plugin payload whose serialized ReductionType enum is 99.
  • control-scatterelements-add.engine: matching control engine with ReductionType::kSUM and axis=1.
  • reproduce.py: loads both engines and runs the same inference input.

Public URLs:

SHA256:

  • scatterelements-invalid-reduction.engine: 1dea8b3e87f274c8540d6521b5995df62ff89e0399397baa5c3a5e31bc4887e7
  • control-scatterelements-add.engine: 8d62826f8f17b05509c60f7cb9c000d859b7df67d603b50a9adb69ef86d808f2

Trigger

The malicious behavior is triggered by loading the .engine file with TensorRT and running inference.

Input:

data    = [10, 20, 30, 40]
indices = [0, 2]
updates = [100, 200]

The control engine applies scatter-add and returns [110, 20, 230, 40].

The malicious engine loads and executes successfully, but because the serialized reduction enum is outside the valid 0..4 range, the reduction dispatch does not run. The output remains the original data: [10, 20, 30, 40].

Reproduction

Tested with TensorRT 11.1.0.106 on NVIDIA GPUs.

python3 reproduce.py \
  --control control-scatterelements-add.engine \
  --malicious scatterelements-invalid-reduction.engine \
  --gpu 0

The public artifact can also be tested directly:

python3 reproduce.py \
  --control https://huggingface.co/hacnho/tensorrt-scatterelements-invalid-reduction-poc/resolve/main/control-scatterelements-add.engine \
  --malicious https://huggingface.co/hacnho/tensorrt-scatterelements-invalid-reduction-poc/resolve/main/scatterelements-invalid-reduction.engine \
  --gpu 0

Expected result:

  • control_signature: [110.0, 20.0, 230.0, 40.0]
  • malicious_signature: [10.0, 20.0, 30.0, 40.0]
  • output_changed: true

Scanner posture for the public-downloaded malicious engine:

  • modelscan 0.8.8: summary says No issues found; .engine is skipped as Model Scan did not scan file and the CLI exits 3.
  • picklescan: cannot parse the .engine as pickle, but reports Infected files: 0 and Dangerous globals: 0.
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support