YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
onnx-tensorrt β OOB read via unvalidated external_data offset (CWE-125)
Loading malicious.onnx with onnx-tensorrt (NVIDIA's TensorRT ONNX parser; also bundled in NVIDIA/TensorRT)
triggers an out-of-bounds read while importing the model's weights.
Root cause
onnx-tensorrt/WeightsContext.cpp, parseExternalWeights(): the offset from a TensorProto's
external_data map is used directly as weightsPtr = mmap_base + offset with no bounds check against the
mapped file size (only length is validated, against the tensor's dims). convertOnnxWeights() then reads
the weights at mmap_base + offset (for DOUBLE tensors, via convertDouble() at parse time).
offset is fully attacker-controlled (a decimal string parsed with atoll), so the read address is attacker-controlled.
Files
poc.zipβ containsmalicious.onnx(the model) +w.bin; unzip before running. The ONNX model whose single initializerwusesexternal_datawithoffset=1073741824(1 GiB),dtype=DOUBLE,dims=[8]w.binβ the (valid, 64-byte) external weights file it referencesharness.cpp/stubs.cpp/build.shβ a GPU-free ASAN harness that runs the real onnx-tensorrt weight-import path onmalicious.onnxPROOF.txtβ the AddressSanitizer report
Reproduce (GPU-free, ~minutes)
git clone https://github.com/onnx/onnx-tensorrt && git clone https://github.com/NVIDIA/TensorRT(forinclude/headers)- Get protobuf without sudo:
apt-get download protobuf-compiler libprotobuf-dev libprotobuf32t64 && for d in *.deb; do dpkg-deb -x "$d" localroot; done - Copy
onnx-ml.proto(from theonnxpip package) intoonnx/, then runbuild.sh. unzip poc.zip && ./poc_oob malicious.onnxβAddressSanitizer: SEGV on ... READinconvertDoubleatmmap_base + 0x40000000(== the 1 GiB offset).
Alternatively, on a machine with TensorRT + a GPU: trtexec --onnx=malicious.onnx reaches the same import path.
Fix
In parseExternalWeights, validate offset (and offset + length) against the mapped file size before
weightsPtr = mmap_base + offset; reject negative/out-of-range offsets.
Not a duplicate of the known ONNX external_data CVEs
This bug is in NVIDIA's onnx-tensorrt parser (WeightsContext.cpp), a different codebase from the onnx
Python/C++ library. The publicly known ONNX external_data issues are path traversal:
- CVE-2022-25882 β onnx
<1.13external_data path outside model dir - CVE-2026-27489 β onnx
<1.21external_data symlink escape
onnx-tensorrt already guards ../ path traversal. This report is a different bug class β an unvalidated
numeric offset (not a path) added to the mmap base β out-of-bounds read. No CVE/GHSA/OSV or prior huntr
report covers the onnx-tensorrt offset gap.
Severity
CVSS 3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H = 6.5 (Medium) for the demonstrated crash/DoS; the attacker-controlled
read address gives information-disclosure potential that could raise it.