You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

TensorRT ModelScan Bypass PoC

Security research: TensorRT engine files (.engine/.trt/.mytrtfile) with embedded native plugins bypass ModelScan completely and achieve arbitrary code execution via __attribute__((constructor)) triggered during dlopen() at deserialization time.

For authorized security research only.

Vulnerability Summary

ModelScan does not recognize TensorRT engine files → always SKIPPED
TensorRT plugins_to_serialize embeds native .so into engine files
__attribute__((constructor)) executes on dlopen() BEFORE any TensorRT validation
RCE triggers even with engine_host_code_allowed=False (default safe setting)

Files

malicious_engine.engine — TensorRT engine with embedded malicious plugin
malicious_plugin.cpp — Source code of the malicious plugin
poc_exhaustive.py — Exhaustive verification script (4 tests)

Reproduction

Requires: TensorRT 10.x, CUDA 12.x, GPU with SM 7.0+

import tensorrt as trt
runtime = trt.Runtime(trt.Logger())
# RCE triggers on deserialize — even with default safe settings
with open('malicious_engine.engine', 'rb') as f:
    engine = runtime.deserialize_cuda_engine(f.read())

Downloads last month: -

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support