Hugging Face's logo

treforbenbow
/
tensorrt-ace-poc-embedded-plugin

Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

TensorRT ACE PoC โ€” Arbitrary Code Execution via Embedded Plugin DLL

Vulnerability Summary

TensorRT .engine files support embedding plugin shared libraries via plugins_to_serialize. When such an engine is deserialized with deserialize_cuda_engine(), TensorRT unconditionally extracts the embedded DLL to a temp file and loads it via LoadLibrary() / dlopen(). This triggers native code execution (e.g., DllMain on Windows, __attribute__((constructor)) on Linux).

The engine_host_code_allowed security flag (which defaults to False) does NOT prevent this. The flag only gates lean runtime loading, not embedded plugin libraries.

Affected

  • Product: NVIDIA TensorRT
  • Tested Version: 10.15.1.29
  • File Format: .engine / .trt / .plan
  • API: IRuntime::deserializeCudaEngine() / trt.Runtime.deserialize_cuda_engine()

Files

File Description
malicious_model.engine Pre-built malicious engine file containing embedded DLL
malicious_plugin.cpp Source code for the malicious plugin DLL
malicious_plugin.dll Compiled malicious plugin (Windows x64)
build_malicious_engine.py Script to build the malicious engine from scratch
load_malicious_engine.py Script to demonstrate ACE by loading the engine

Reproduction Steps

Quick Test (use pre-built engine) 

# Requires: pip install tensorrt (tested with 10.15.1.29)
python load_malicious_engine.py
# Check for PWNED.txt โ€” if it exists, ACE was achieved

Build From Scratch

  1. Compile the malicious plugin DLL (Windows/MSVC):

    cl /nologo /EHsc /LD /Fe:malicious_plugin.dll malicious_plugin.cpp /link user32.lib kernel32.lib

  2. Build the malicious engine:

    python build_malicious_engine.py

  3. Test ACE:

    python load_malicious_engine.py

What Happens

  1. load_malicious_engine.py creates a TensorRT runtime with engine_host_code_allowed = False (default)
  2. It calls runtime.deserialize_cuda_engine(engine_data)
  3. TensorRT extracts the embedded DLL to %TEMP%\pluginLibrary_*.dll
  4. TensorRT calls LoadLibrary() on the extracted DLL
  5. DllMain executes, creating PWNED.txt as proof of arbitrary code execution
  6. Deserialization itself fails (no valid plugin creators), but the code already ran

Key Evidence from TensorRT Logs 

[TRT] [V] Local registry attempting to deserialize library from memory
[TRT] [V] Created temporary shared library C:\Users\...\Temp\pluginLibrary_4cef6c0cb351aa4e.dll
[TRT] [V] Loaded temporary shared library C:\Users\...\Temp\pluginLibrary_4cef6c0cb351aa4e.dll

This occurs even with engine_host_code_allowed = False.

Impact

  • Arbitrary native code execution in any process that loads an untrusted .engine file
  • No existing scanner (ModelScan, etc.) detects this
  • Supply chain attack via malicious models on HuggingFace, model registries, etc.
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support