YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

PoC: onnxruntime MatMulNBits PrePack heap out-of-bounds read (malicious .onnx)

Target: microsoft/onnxruntime β€” CPU contrib op MatMulNBits (4/8/2-bit quantized GEMM used by most quantized ONNX LLMs: Phi, Llama, Qwen, …). Format: ONNX (.onnx). Class: CWE-125 heap out-of-bounds read at model-load time (during PrePack, before Run()). Verified: official onnxruntime==1.27.0 pip wheel; source @ HEAD bb9ba7eba452791ac2e70c85044da96cf5555fe0 (2026-07-05).

What it is

MatMulNBits::PrePack computes how many bytes to read from the quantized weight initializer B (and scales) purely from the node attributes K, N, bits, block_size β€” it never checks those against the real byte-length of the B / scales initializer tensors. The only validation, matmul_nbits_helper::CheckInputs(...), runs inside Compute(), which happens after PrePack. PrePack runs automatically when the InferenceSession is constructed (on constant initializers), so an attacker only needs the victim to load the model β€” not run inference.

A malicious .onnx therefore sets large K/N attributes but ships a 1-byte B and 1-element scales. At load, MLAS's SQ4BitGemmPackQuantBData reads N * ceil(K/block_size) * block_size * bits/8 bytes from the 1-byte buffer β†’ heap OOB read β†’ crash (or, on non-crashing layouts, adjacent heap bytes get folded into the cached packed-weight buffer).

Files

  • evil.onnx β€” 212-byte malicious model. MatMulNBits(K=65536, N=4096, bits=4, block_size=32) with B=uint8[1], scales=float32[1]. Loading it faults in SQ4BitGemmPackQuantBData.
  • make_matmulnbits.py β€” regenerates evil.onnx and a benign.onnx control (correctly-sized B/scales).
  • load.py β€” loads a model with onnxruntime.InferenceSession and prints LOADED OK if no crash.
  • CRASH_PROVEN.md β€” lldb backtrace + the controlled experiment (evil crashes, benign loads clean).

Run

python3 -m venv v && ./v/bin/pip install onnx onnxruntime
./v/bin/python load.py evil.onnx     # -> EXC_BAD_ACCESS / SIGBUS in SQ4BitGemmPackQuantBData (session init)
./v/bin/python make_matmulnbits.py benign benign.onnx
./v/bin/python load.py benign.onnx   # -> LOADED OK  (only the initializer size differs)

This is a coordinated-disclosure security PoC for the huntr AI/ML bug-bounty program. It reads out-of-bounds memory to demonstrate a parser flaw; it contains no payload and performs no other action.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support