YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
PoC: onnxruntime MatMulNBits PrePack heap out-of-bounds read (malicious .onnx)
Target: microsoft/onnxruntime β CPU contrib op MatMulNBits (4/8/2-bit quantized GEMM used by
most quantized ONNX LLMs: Phi, Llama, Qwen, β¦).
Format: ONNX (.onnx).
Class: CWE-125 heap out-of-bounds read at model-load time (during PrePack, before Run()).
Verified: official onnxruntime==1.27.0 pip wheel; source @ HEAD bb9ba7eba452791ac2e70c85044da96cf5555fe0 (2026-07-05).
What it is
MatMulNBits::PrePack computes how many bytes to read from the quantized weight initializer B
(and scales) purely from the node attributes K, N, bits, block_size β it never checks
those against the real byte-length of the B / scales initializer tensors. The only validation,
matmul_nbits_helper::CheckInputs(...), runs inside Compute(), which happens after PrePack.
PrePack runs automatically when the InferenceSession is constructed (on constant initializers),
so an attacker only needs the victim to load the model β not run inference.
A malicious .onnx therefore sets large K/N attributes but ships a 1-byte B and 1-element
scales. At load, MLAS's SQ4BitGemmPackQuantBData reads
N * ceil(K/block_size) * block_size * bits/8 bytes from the 1-byte buffer β heap OOB read β crash
(or, on non-crashing layouts, adjacent heap bytes get folded into the cached packed-weight buffer).
Files
evil.onnxβ 212-byte malicious model.MatMulNBits(K=65536, N=4096, bits=4, block_size=32)withB=uint8[1],scales=float32[1]. Loading it faults inSQ4BitGemmPackQuantBData.make_matmulnbits.pyβ regeneratesevil.onnxand abenign.onnxcontrol (correctly-sized B/scales).load.pyβ loads a model withonnxruntime.InferenceSessionand printsLOADED OKif no crash.CRASH_PROVEN.mdβ lldb backtrace + the controlled experiment (evil crashes, benign loads clean).
Run
python3 -m venv v && ./v/bin/pip install onnx onnxruntime
./v/bin/python load.py evil.onnx # -> EXC_BAD_ACCESS / SIGBUS in SQ4BitGemmPackQuantBData (session init)
./v/bin/python make_matmulnbits.py benign benign.onnx
./v/bin/python load.py benign.onnx # -> LOADED OK (only the initializer size differs)
This is a coordinated-disclosure security PoC for the huntr AI/ML bug-bounty program. It reads out-of-bounds memory to demonstrate a parser flaw; it contains no payload and performs no other action.