You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ExecuTorch .pte Integer Overflow + Disabled Verification → Heap Buffer Overflow

Summary

Two compounding vulnerabilities in PyTorch ExecuTorch allow a crafted .pte model file to trigger a heap buffer overflow when loaded:

Integer overflow checks in program_validation.cpp are commented out — the numel and nbytes overflow validation code exists but is disabled, allowing crafted tensors with dimensions that overflow when multiplied.
Program verification is disabled by default in production builds — CMakeLists.txt sets ET_ENABLE_PROGRAM_VERIFICATION=0 unless explicitly overridden, meaning the FlatBuffer verifier and validate_program() are never called.

Combined, an attacker can craft a .pte file with tensor dimensions that:

Pass the (disabled) verification
Overflow during numel calculation in tensor parsing
Cause an undersized heap allocation followed by an oversized memcpy
Result in heap buffer overflow → potential RCE

Affected Code

Bug 1: Commented-out overflow checks

File: runtime/executor/program_validation.cpp, lines 48-76

// ssize_t numel = 1;
for (flatbuffers::uoffset_t i = 0; i < sizes->size(); i++) {
    int32_t size = sizes->Get(i);
    if (size < 0) { /* ... reject negative ... */ }
    // bool overflow =
    //     c10::mul_overflows(numel, static_cast<ssize_t>(size), &numel);
    // if (overflow) {
    //     return Error::InvalidProgram;
    // }
}

// size_t nbytes;
// bool nbytes_overflow = c10::mul_overflows(
//     static_cast<size_t>(numel),
//     executorch::runtime::elementSize(scalar_type),
//     &nbytes);
// if (nbytes_overflow) {
//     return Error::InvalidProgram;
// }

The c10::mul_overflows checks for both numel and nbytes are entirely commented out. A tensor with shape [2^31-1, 2^31-1] would overflow a 32-bit product, resulting in a small allocation but a large memcpy.

Bug 2: Verification disabled by default

File: CMakeLists.txt, line 174-179

if(NOT EXECUTORCH_ENABLE_PROGRAM_VERIFICATION)
  add_definitions(-DET_ENABLE_PROGRAM_VERIFICATION=0)
endif()

EXECUTORCH_ENABLE_PROGRAM_VERIFICATION is never set to ON by default, so the condition NOT false evaluates to true, and verification is disabled. This means:

The FlatBuffer Verifier is never invoked
validate_program() (which itself has the overflow checks disabled) is never called
Malformed .pte files are loaded without any structural validation

Vulnerable memcpy

File: runtime/executor/tensor_parser_portable.cpp, lines 105-107

std::memcpy(
    sizes_buf, serialized_sizes, sizeof(executorch::aten::SizesType) * dim);
std::memcpy(
    dim_order_buf, serialized_dim_order,
    sizeof(executorch::aten::DimOrderType) * dim);

The dim value comes directly from the FlatBuffer without overflow validation.

Impact

Heap buffer overflow via integer overflow in tensor size calculations
Potential RCE on mobile/embedded devices running ExecuTorch
Particularly dangerous because ExecuTorch targets mobile and edge devices where security hardening is often minimal
The verification is explicitly disabled to save ~20KB binary size, prioritizing size over security

Affected Versions

ExecuTorch main branch (as of March 30, 2026, commit 520566c)
Likely all versions since the verification disable was introduced
The pip-installable executorch package

Suggested Fix

Uncomment the overflow checks in program_validation.cpp
Enable program verification by default (or at minimum for the Python runtime)
Add bounds checking before memcpy operations in tensor_parser_portable.cpp

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support