TensorRT ScatterND Trigger Backdoor PoC

This repository is a benign security research proof of concept for a Huntr MFV report. It contains two TensorRT .engine files with the same external model contract:

  • control_scatternd_trigger.engine
  • malicious_scatternd_trigger.engine
  • reproduce.py
  • requirements.txt

Both engines load through:

trt.Runtime(logger).deserialize_cuda_engine(engine_bytes)
context.execute_async_v3(...)

The malicious engine embeds a hidden trigger branch. Benign input is preserved, but trigger input causes a ScatterND branch to overwrite output index 2.

Tested versions:

  • TensorRT 11.1.0.106
  • modelscan==0.8.8

Expected behavior:

benign input [1.0, 2.0, 3.0, 4.0]
control output   [1.0, 2.0, 3.0, 4.0]
malicious output [1.0, 2.0, 3.0, 4.0]

trigger input [2337.0, 2.0, 3.0, 4.0]
control output   [2337.0, 2.0, 3.0, 4.0]
malicious output [2337.0, 2.0, 99.0, 4.0]

Scanner posture:

modelscan 0.8.8
No issues found!
malicious_scatternd_trigger.engine was skipped during a ModelScan scan:
Model Scan did not scan file

Reproduction:

python -m venv /tmp/tensorrt-scatternd-poc
. /tmp/tensorrt-scatternd-poc/bin/activate
pip install -r requirements.txt
python reproduce.py control_scatternd_trigger.engine malicious_scatternd_trigger.engine

Public files:

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support