CVE-2018-21233: TensorFlow integer overflow leaks

Q: Is CVE-2018-21233 actively exploited?

No confirmed active exploitation of CVE-2018-21233 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2018-21233?

1. Patch: Upgrade TensorFlow to >=1.7.0. 2. Input validation: Enforce allowlist of accepted image formats at API/pipeline boundary — reject BMP if not required. 3. Input sanitization: Validate image headers and dimensions before passing to TensorFlow decode ops. 4. Process isolation: Run TensorFlow inference in sandboxed processes with minimal memory exposure (no credentials in process memory). 5. Detection: Monitor for abnormal memory access patterns or segfaults in TensorFlow serving processes. 6. Audit: Inventory all services accepting BMP image input and cross-check TensorFlow version.

CISO Take

TensorFlow's BMP image decoder has an integer overflow causing out-of-bounds memory reads, potentially exposing process memory contents including model weights, credentials, or training data. Any ML pipeline or inference API that accepts and processes BMP images from untrusted sources using TensorFlow <1.7.0 is at risk. Upgrade to TensorFlow 1.7.0+ immediately and restrict accepted image formats at the API boundary.

What is the risk?

Medium severity but with high confidentiality impact (CVSS C:H). The network-reachable, zero-privileges attack vector is concerning for exposed vision inference APIs. While User Interaction is required (typically meaning a user must trigger processing of a malicious image), in automated ML pipelines this 'interaction' may be a batch job or webhook automatically processing attacker-supplied images — effectively reducing the interaction barrier. No active exploitation or KEV listing, but the memory disclosure primitive is a stepping stone for deeper compromise.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 38% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I None

A None

What should I do?

6 steps

Patch: Upgrade TensorFlow to >=1.7.0.
Input validation: Enforce allowlist of accepted image formats at API/pipeline boundary — reject BMP if not required.
Input sanitization: Validate image headers and dimensions before passing to TensorFlow decode ops.
Process isolation: Run TensorFlow inference in sandboxed processes with minimal memory exposure (no credentials in process memory).
Detection: Monitor for abnormal memory access patterns or segfaults in TensorFlow serving processes.
Audit: Inventory all services accepting BMP image input and cross-check TensorFlow version.

How is it classified?

Data Extraction Privacy Violation Supply Chain Framework Inference AML.T0001 - Search Open AI Vulnerability Analysis AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - Information security in AI systems

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain value and manage risk of deployed AI systems

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2018-21233?

TensorFlow's BMP image decoder has an integer overflow causing out-of-bounds memory reads, potentially exposing process memory contents including model weights, credentials, or training data. Any ML pipeline or inference API that accepts and processes BMP images from untrusted sources using TensorFlow <1.7.0 is at risk. Upgrade to TensorFlow 1.7.0+ immediately and restrict accepted image formats at the API boundary.

Is CVE-2018-21233 actively exploited?

No confirmed active exploitation of CVE-2018-21233 has been reported, but organizations should still patch proactively.

How to fix CVE-2018-21233?

1. Patch: Upgrade TensorFlow to >=1.7.0. 2. Input validation: Enforce allowlist of accepted image formats at API/pipeline boundary — reject BMP if not required. 3. Input sanitization: Validate image headers and dimensions before passing to TensorFlow decode ops. 4. Process isolation: Run TensorFlow inference in sandboxed processes with minimal memory exposure (no credentials in process memory). 5. Detection: Monitor for abnormal memory access patterns or segfaults in TensorFlow serving processes. 6. Audit: Inventory all services accepting BMP image input and cross-check TensorFlow version.

What systems are affected by CVE-2018-21233?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, data ingestion pipelines.

What is the CVSS score for CVE-2018-21233?

CVE-2018-21233 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.48%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference APIsdata ingestion pipelines

MITRE ATLAS Techniques

AML.T0001 Search Open AI Vulnerability Analysis

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc.

Exploitation Scenario

An adversary targeting an organization's computer vision inference API crafts a malicious BMP file with manipulated header fields that trigger the integer overflow in TensorFlow's DecodeBmp kernel. The adversary submits this image to the API endpoint (or injects it into a dataset ingestion pipeline). The out-of-bounds read returns memory contents from the TensorFlow serving process, which the adversary retrieves via error messages, debug logs, or crafted API responses. In a worst-case scenario, this memory contains loaded API credentials, database connection strings, or proprietary model weights, enabling lateral movement or IP theft.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read Primary

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.