Hugging Face's logo

treforbenbow
/
tensorrt-engine-deser-crash-poc

Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

TensorRT VULN-006: Engine Deserializer Memory Corruption

Vulnerability

A single-byte modification in the THGW (weights/metadata) section of a valid TensorRT engine file causes deserializeCudaEngine() to crash with STATUS_ACCESS_VIOLATION (0xC0000005 / SIGSEGV).

The crash occurs in the closed-source plan file parser (libnvinfer.dll / libnvinfer.so) during engine deserialization - before any inference, before any plugin code runs. The PoC model uses only built-in TensorRT layers (Conv, ReLU, Pooling, MatMul) with no plugins.

This is NOT the known serialize.hpp assert-based bounds check issue that affects open-source plugin code. This vulnerability is in the core engine file parser.

Impact

  • Denial of service for any application loading untrusted .engine / .trt / .plan files
  • Affects NVIDIA Triton, TensorRT-LLM, edge inference pipelines, MLOps platforms
  • ACCESS_VIOLATION indicates unsafe memory access - may be exploitable for code execution
  • Multiple independent crash offsets exist (13+ found in testing)
  • At some offsets, up to 252/255 byte values trigger the crash
  • setEngineHostCodeAllowed flag is irrelevant - crash occurs before host code checks

Key Details

Property Value
Crash type STATUS_ACCESS_VIOLATION (0xC0000005) / SIGSEGV
Crash rate 100% (10/10 runs)
Trigger 1 byte changed in engine file
Section THGW (weights metadata)
Component libnvinfer closed-source plan file parser
Plugins None used

Files

File Description
vuln006_build_poc.py Builds valid engine, finds crash offset, creates PoC files
vuln006_load_crash.py Demonstrates the crash by loading the malicious engine
vuln006_valid.engine Pre-built valid engine (loads successfully)
vuln006_crash.engine Pre-built crashing engine (1 byte different)
vuln006_meta.txt Crash offset and metadata

Reproduction

NOTE: Engine files are GPU-architecture-specific. For full reproduction on a different GPU, run the build script:

pip install tensorrt numpy
python vuln006_build_poc.py
python vuln006_load_crash.py

Root Cause

The THGW section contains weight data interleaved with internal metadata (type codes, dimension counts, offsets). The closed-source deserializer parses these fields without sufficient validation, causing invalid memory access when metadata bytes are corrupted.

Tested On

  • TensorRT 10.15.1.29
  • Windows + Linux (MSYS2)
  • RTX 4080 Super, CUDA 12.x
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support