Miggo Logo

CVE-2025-30402:
ExecuTorch vulnerable to Heap-based Buffer Overflow attack

8.1

CVSS Score

Basic Information

EPSS Score
-
Published
7/11/2025
Updated
7/11/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
executorchpip<= 0.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the calculate_nbytes function in runtime/executor/method_meta.cpp. The commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f directly patches this function to add integer overflow checks. The vulnerability description mentions a heap-buffer-overflow during the loading of ExecuTorch methods, which aligns with the purpose of calculate_nbytes—to determine the memory size required for a tensor. The patch replaces the simple multiplication of dimensions with a version that checks for overflow at each step. The added test case TensorInfoSizeOverflow in runtime/executor/test/method_meta_test.cpp further confirms that the vulnerability is related to an overflow in size calculation by explicitly testing for it. The vulnerable function executorch::runtime::calculate_nbytes is called during the model loading process, and an integer overflow within it leads to the allocation of an incorrectly sized buffer, causing the heap overflow when tensor data is loaded.

Vulnerable functions

executorch::runtime::calculate_nbytes
runtime/executor/method_meta.cpp
The function `calculate_nbytes` is vulnerable to an integer overflow. The original implementation multiplied tensor dimensions and element size to calculate the total byte size without checking for arithmetic overflow. An attacker could provide a crafted model with large tensor dimensions that would cause the multiplication to wrap around, resulting in a small value. This small value would then be used to allocate a heap buffer. When the model data is subsequently copied into this undersized buffer, a heap-based buffer overflow occurs, which could lead to a crash or arbitrary code execution.

WAF Protection Rules

WAF Rule

* ***p-*u***r-ov*r*low vuln*r**ility in t** lo**in* o* *x**uTor** m*t*o*s **n **us* t** runtim* to *r*s* *n* pot*nti*lly r*sult in *o** *x**ution or ot**r un**sir**l* *****ts. T*is issu* *****ts *x**uTor** prior to *ommit ****************************

Reasoning

T** vuln*r**ility li*s in t** `**l*ul*t*_n*yt*s` *un*tion in `runtim*/*x**utor/m*t*o*_m*t*.*pp`. T** *ommit `****************************************` *ir**tly p*t***s t*is *un*tion to *** int***r ov*r*low ****ks. T** vuln*r**ility **s*ription m*ntio