---
license: mit
tags:
- tensorrt
- security-research
- vulnerability-poc
---

# VULN-011: Heap Buffer Overflow in TensorRT ONNX Parser via INT4 Tensor (CWE-122)

## Summary

A crafted ONNX model with an INT4/UINT4 tensor where int32_data array exceeds the tensor shape causes a heap buffer overflow in TensorRT ONNX parser. The convertPackedInt32Data() function writes attacker-controlled data past the end of a heap buffer.

- CWE: CWE-122 (Heap-based Buffer Overflow)
- Severity: Critical (CVSS 8.8) - potentially exploitable for RCE
- Affected: TensorRT 10.15.1.29
- Crash: STATUS_HEAP_CORRUPTION (0xC0000374) - confirmed heap write corruption
- Reproducibility: 100% (15/15)

## Files

- vuln011_int4_heap_overflow.onnx (1,107 bytes) - INT4, 1KB overflow
- vuln011_uint4_heap_overflow.onnx (10,090 bytes) - UINT4, 5KB overflow
- vuln011_int4_extreme.onnx (100,091 bytes) - INT4, 100KB overflow
- vuln011_int4_heap_overflow.py - Build/crash/verify script

## Reproduction

python vuln011_int4_heap_overflow.py build
python vuln011_int4_heap_overflow.py verify
python vuln011_int4_heap_overflow.py crash

## Root Cause

WeightsContext.cpp convertPackedInt32Data() writes nbytes=int32_data.size() bytes to a buffer allocated for (volume(shape)*4+4)/8 bytes. No bounds check. Attacker controls overflow length and content.