CVE-2018-21233 — MEDIUM (CVSS 6.5) AI Security Vulnerability

Q: Is CVE-2018-21233 actively exploited?

No confirmed active exploitation of CVE-2018-21233 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2018-21233?

1. Patch: Upgrade TensorFlow to >=1.7.0. 2. Input validation: Enforce allowlist of accepted image formats at API/pipeline boundary — reject BMP if not required. 3. Input sanitization: Validate image headers and dimensions before passing to TensorFlow decode ops. 4. Process isolation: Run TensorFlow inference in sandboxed processes with minimal memory exposure (no credentials in process memory). 5. Detection: Monitor for abnormal memory access patterns or segfaults in TensorFlow serving processes. 6. Audit: Inventory all services accepting BMP image input and cross-check TensorFlow version.

CISO Take

TensorFlow's BMP image decoder has an integer overflow causing out-of-bounds memory reads, potentially exposing process memory contents including model weights, credentials, or training data. Any ML pipeline or inference API that accepts and processes BMP images from untrusted sources using TensorFlow <1.7.0 is at risk. Upgrade to TensorFlow 1.7.0+ immediately and restrict accepted image formats at the API boundary.

Risk Assessment

Medium severity but with high confidentiality impact (CVSS C:H). The network-reachable, zero-privileges attack vector is concerning for exposed vision inference APIs. While User Interaction is required (typically meaning a user must trigger processing of a malicious image), in automated ML pipelines this 'interaction' may be a batch job or webhook automatically processing attacker-supplied images — effectively reducing the interaction barrier. No active exploitation or KEV listing, but the memory disclosure primitive is a stepping stone for deeper compromise.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 32% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Patch: Upgrade TensorFlow to >=1.7.0.
Input validation: Enforce allowlist of accepted image formats at API/pipeline boundary — reject BMP if not required.
Input sanitization: Validate image headers and dimensions before passing to TensorFlow decode ops.
Process isolation: Run TensorFlow inference in sandboxed processes with minimal memory exposure (no credentials in process memory).
Detection: Monitor for abnormal memory access patterns or segfaults in TensorFlow serving processes.
Audit: Inventory all services accepting BMP image input and cross-check TensorFlow version.

Classification

Data Extraction Privacy Violation Supply Chain Framework Inference AML.T0001 - Search Open AI Vulnerability Analysis AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - Information security in AI systems

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain value and manage risk of deployed AI systems

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2018-21233?

TensorFlow's BMP image decoder has an integer overflow causing out-of-bounds memory reads, potentially exposing process memory contents including model weights, credentials, or training data. Any ML pipeline or inference API that accepts and processes BMP images from untrusted sources using TensorFlow <1.7.0 is at risk. Upgrade to TensorFlow 1.7.0+ immediately and restrict accepted image formats at the API boundary.

Is CVE-2018-21233 actively exploited?

No confirmed active exploitation of CVE-2018-21233 has been reported, but organizations should still patch proactively.

How to fix CVE-2018-21233?

1. Patch: Upgrade TensorFlow to >=1.7.0. 2. Input validation: Enforce allowlist of accepted image formats at API/pipeline boundary — reject BMP if not required. 3. Input sanitization: Validate image headers and dimensions before passing to TensorFlow decode ops. 4. Process isolation: Run TensorFlow inference in sandboxed processes with minimal memory exposure (no credentials in process memory). 5. Detection: Monitor for abnormal memory access patterns or segfaults in TensorFlow serving processes. 6. Audit: Inventory all services accepting BMP image input and cross-check TensorFlow version.

What systems are affected by CVE-2018-21233?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, data ingestion pipelines.

What is the CVSS score for CVE-2018-21233?

CVE-2018-21233 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.13%.

Technical Details

NVD Description

TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc.

Exploitation Scenario

An adversary targeting an organization's computer vision inference API crafts a malicious BMP file with manipulated header fields that trigger the integer overflow in TensorFlow's DecodeBmp kernel. The adversary submits this image to the API endpoint (or injects it into a dataset ingestion pipeline). The out-of-bounds read returns memory contents from the TensorFlow serving process, which the adversary retrieves via error messages, debug logs, or crafted API responses. In a worst-case scenario, this memory contains loaded API credentials, database connection strings, or proprietary model weights, enabling lateral movement or IP theft.