CVE-2018-25378: Notebook Pro: DoS via oversized notebook name input

MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 25, 2026
CISO Take

Notebook Pro 2.0 crashes when a local user or attacker pastes a string of 500 or more characters into the New Notebook Name field, a classic uncontrolled memory allocation flaw (CWE-789). The attack vector is strictly local with no confidentiality or integrity impact (CVSS:3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), which significantly limits blast radius — this is not remotely exploitable and presents minimal risk to networked AI infrastructure. There is no CISA KEV listing, no EPSS data, and no evidence of in-the-wild exploitation; the Exploit-DB entry (EDB-45420, published 2018) is a proof-of-concept demonstrating the crash is trivially reproducible by any local user. Teams using Notebook Pro 2.0 for AI development workflows should upgrade to a patched version if available and treat this as a low-priority maintenance item; the primary risk scenario is shared workstations or social engineering via malicious notebook files.

Sources: NVD ATLAS Exploit-DB VulnCheck

What is the risk?

Low risk overall. The local attack vector and availability-only impact constrain the threat surface to insider scenarios or physical access situations. No active exploitation is recorded in CISA KEV, no EPSS scoring is available, and no downstream AI packages or networked infrastructure are affected. Risk is marginally elevated in shared data science workstation environments or where notebook files are exchanged from untrusted parties, but remains well below the threshold requiring urgent remediation.

How does the attack unfold?

Payload Preparation
Attacker creates a text file or clipboard payload containing 500 or more characters, crafted to trigger uncontrolled memory allocation when used as a notebook name.
AML.T0017
User Execution
Attacker with local access, or via social engineering, pastes the oversized string into the New Notebook Name field within Notebook Pro 2.0.
AML.T0011
Impact — Denial of Service
The application crashes on attempting to create and save the notebook, disrupting the AI developer's workflow and destroying any unsaved work in the current session.
AML.T0029

How severe is it?

CVSS 3.1
6.2 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 3% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps
  1. Update Notebook Pro to the latest available version and verify vendor release notes address CWE-789 input length validation.

  2. If no patch exists, enforce a policy against opening notebook files received from untrusted or external sources.

  3. Implement file-sharing controls that restrict notebook file exchange within AI development teams to verified internal repositories.

  4. Enable autosave features where available to minimise data loss from unexpected crashes.

  5. Monitor endpoint crash telemetry on data science workstations for repeated Notebook Pro termination events as a potential indicator of targeted abuse.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
8.4 - AI system operation
NIST AI RMF
MANAGE 2.4 - Residual risks are monitored and managed
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2018-25378?

Notebook Pro 2.0 crashes when a local user or attacker pastes a string of 500 or more characters into the New Notebook Name field, a classic uncontrolled memory allocation flaw (CWE-789). The attack vector is strictly local with no confidentiality or integrity impact (CVSS:3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), which significantly limits blast radius — this is not remotely exploitable and presents minimal risk to networked AI infrastructure. There is no CISA KEV listing, no EPSS data, and no evidence of in-the-wild exploitation; the Exploit-DB entry (EDB-45420, published 2018) is a proof-of-concept demonstrating the crash is trivially reproducible by any local user. Teams using Notebook Pro 2.0 for AI development workflows should upgrade to a patched version if available and treat this as a low-priority maintenance item; the primary risk scenario is shared workstations or social engineering via malicious notebook files.

Is CVE-2018-25378 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2018-25378, increasing the risk of exploitation.

How to fix CVE-2018-25378?

1. Update Notebook Pro to the latest available version and verify vendor release notes address CWE-789 input length validation. 2. If no patch exists, enforce a policy against opening notebook files received from untrusted or external sources. 3. Implement file-sharing controls that restrict notebook file exchange within AI development teams to verified internal repositories. 4. Enable autosave features where available to minimise data loss from unexpected crashes. 5. Monitor endpoint crash telemetry on data science workstations for repeated Notebook Pro termination events as a potential indicator of targeted abuse.

What systems are affected by CVE-2018-25378?

This vulnerability affects the following AI/ML architecture patterns: AI development environments, notebook-based ML workflows, local data science workstations.

What is the CVSS score for CVE-2018-25378?

CVE-2018-25378 has a CVSS v3.1 base score of 6.2 (MEDIUM). The EPSS exploitation probability is 0.14%.

What is the AI security impact?

Affected AI Architectures

AI development environmentsnotebook-based ML workflowslocal data science workstations

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0048.003 User Harm

Compliance Controls Affected

ISO 42001: 8.4
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM10:2025

What are the technical details?

Original Advisory

Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Attackers can create a malicious text file containing 500 or more characters, paste the content into the New Notebook Name field, and trigger an application crash when attempting to create and save the notebook.

Exploitation Scenario

An insider or attacker with local workstation access creates a text file containing 500+ characters and pastes the content into the New Notebook Name field of Notebook Pro 2.0. Alternatively, a socially engineered victim is sent a malicious notebook file with instructions to rename it via the application UI. On attempting to create and save the notebook, the application crashes due to unbounded memory allocation. In a targeted operation against an AI development team during a critical sprint, this could be used as a low-sophistication distraction attack — crashing the tool repeatedly to disrupt productivity, destroy unsaved experiment notes, or create a pretext for gaining further access while the victim troubleshoots the crash.

Weaknesses (CWE)

CWE-789 — Memory Allocation with Excessive Size Value: The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

  • [Implementation, Architecture and Design] Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
  • [Operation] Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Timeline

Published
May 25, 2026
Last Modified
May 26, 2026
First Seen
May 25, 2026

Related Vulnerabilities