You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

OpenVINO CPU Compilation DoS PoC

Summary

This repository contains a proof-of-concept ONNX model that triggers excessive memory allocation during OpenVINO CPU compilation.

The PoC model is only 100 bytes, but it declares an oversized static tensor shape:

[1, 500000000] float32

OpenVINO accepts the model during core.read_model(), but core.compile_model(model, "CPU") consumes around 2GB RSS under a 3GB address-space limit and fails before compilation completes.

Affected Component

  • Target: OpenVINO
  • Tested version: 2026.2.1-21919-ede283a8e3-releases/2026/2
  • Format: ONNX
  • Trigger API: core.compile_model(model, "CPU")
  • Device: CPU

Files

  • poc_openvino_compile_dos.onnx: crafted ONNX PoC
  • staged_openvino.py: reproduction script
  • evidence_500m_runs.txt: three stable reproduction runs
  • shape_compile_summary.txt: dimension sweep result
  • evidence_poc_size.txt: PoC file size evidence
  • oom_evidence_note.txt: note about previous OOM behavior

Reproduction

Install dependencies:

python3 -m venv .venv
source .venv/bin/activate
pip install openvino onnx numpy

Run with a safety memory limit:

/usr/bin/time -v prlimit --as=3221225472 --cpu=20 -- timeout --kill-after=2s 8s \
python -u staged_openvino.py poc_openvino_compile_dos.onnx

Expected Result

OpenVINO should reject the model before compilation or enforce safe resource checks before attempting large allocations.

Actual Result

core.read_model() succeeds, but core.compile_model(model, "CPU") consumes excessive memory and fails before compilation finishes.

Observed stable behavior:

[1] before read_model
[2] after read_model
[5] before compile_model
[-] EXCEPTION: RuntimeError Exception from src/inference/src/cpp/core.cpp:117
Maximum resident set size: around 2040 MB
Exit status: 2

Security Impact

An attacker can publish a very small crafted ONNX model. If a victim application automatically loads and compiles the model using OpenVINO CPU backend, the process can consume excessive memory and fail, causing denial of service in model validation, model serving, or automated model ingestion pipelines.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support