--- tags: [security, poc, vulnerability-disclosure] --- # ExecuTorch `.pte` model-file vulnerability PoC (huntr MFV disclosure) Authorized security-research PoC for two model-file parsing bugs in `pytorch/executorch` (<= 1.3.1, main @ c9688e9). Both are crafted `.pte` files that a victim loading the model processes with no interaction / no auth. - `malicious_xnnpack_scale_oob.pte` — XNNPACK PerChannelQuant scale-buffer length not checked vs channel count (CWE-125 OOB read). Tensor declares 128 channels but supplies 1 scale; ExecuTorch accepts it (the sibling PerChannelGroupQuant path rejects the mismatch) and XNNPACK reads dims[channel_dim]=128 scales from a 1-element buffer at delegate init. Ref: backends/xnnpack/runtime/XNNCompiler.cpp:519-548 (sibling guard at :596). - `malicious_compute_numel.pte` — `compute_numel` unchecked integer overflow (CWE-190). Tensor sizes [2147483647,2147483647,4]; nbytes() = 18446744004990074896 (int64 overflow) -> model load fails (DoS). Ref: runtime/core/portable_type/tensor_impl.cpp:42 (sibling safe_numel:64 uses c10::mul_overflows). Repro: `pip install executorch==1.3.1 torch==2.12.0` then load each file with `executorch.extension.pybindings.portable_lib._load_for_executorch_from_buffer`. For research/disclosure only.