AI Threat Alert

CVE-2018-25378: Notebook Pro: DoS via oversized notebook name input

MEDIUM
Published May 25, 2026
CISO Take

Notebook Pro 2.0 crashes when a local user or attacker pastes a string of 500 or more characters into the New Notebook Name field, a classic uncontrolled memory allocation flaw (CWE-789). The attack vector is strictly local with no confidentiality or integrity impact (CVSS:3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), which significantly limits blast radius — this is not remotely exploitable and presents minimal risk to networked AI infrastructure. There is no CISA KEV listing, no EPSS data, and no evidence of in-the-wild exploitation; the Exploit-DB entry (EDB-45420, published 2018) is a proof-of-concept demonstrating the crash is trivially reproducible by any local user. Teams using Notebook Pro 2.0 for AI development workflows should upgrade to a patched version if available and treat this as a low-priority maintenance item; the primary risk scenario is shared workstations or social engineering via malicious notebook files.

Sources: NVD ATLAS Exploit-DB VulnCheck

What is the risk?

Low risk overall. The local attack vector and availability-only impact constrain the threat surface to insider scenarios or physical access situations. No active exploitation is recorded in CISA KEV, no EPSS scoring is available, and no downstream AI packages or networked infrastructure are affected. Risk is marginally elevated in shared data science workstation environments or where notebook files are exchanged from untrusted parties, but remains well below the threshold requiring urgent remediation.

Attack Kill Chain

Payload Preparation
Attacker creates a text file or clipboard payload containing 500 or more characters, crafted to trigger uncontrolled memory allocation when used as a notebook name.
AML.T0017
User Execution
Attacker with local access, or via social engineering, pastes the oversized string into the New Notebook Name field within Notebook Pro 2.0.
AML.T0011
Impact — Denial of Service
The application crashes on attempting to create and save the notebook, disrupting the AI developer's workflow and destroying any unsaved work in the current session.
AML.T0029

Severity & Risk

CVSS 3.1
6.2 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Update Notebook Pro to the latest available version and verify vendor release notes address CWE-789 input length validation.

  2. If no patch exists, enforce a policy against opening notebook files received from untrusted or external sources.

  3. Implement file-sharing controls that restrict notebook file exchange within AI development teams to verified internal repositories.

  4. Enable autosave features where available to minimise data loss from unexpected crashes.

  5. Monitor endpoint crash telemetry on data science workstations for repeated Notebook Pro termination events as a potential indicator of targeted abuse.

Classification

DoS Framework AML.T0011 AML.T0048.003

Compliance Impact

This CVE is relevant to:

ISO 42001
8.4 - AI system operation
NIST AI RMF
MANAGE 2.4 - Residual risks are monitored and managed
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2018-25378?

Notebook Pro 2.0 crashes when a local user or attacker pastes a string of 500 or more characters into the New Notebook Name field, a classic uncontrolled memory allocation flaw (CWE-789). The attack vector is strictly local with no confidentiality or integrity impact (CVSS:3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), which significantly limits blast radius — this is not remotely exploitable and presents minimal risk to networked AI infrastructure. There is no CISA KEV listing, no EPSS data, and no evidence of in-the-wild exploitation; the Exploit-DB entry (EDB-45420, published 2018) is a proof-of-concept demonstrating the crash is trivially reproducible by any local user. Teams using Notebook Pro 2.0 for AI development workflows should upgrade to a patched version if available and treat this as a low-priority maintenance item; the primary risk scenario is shared workstations or social engineering via malicious notebook files.

Is CVE-2018-25378 actively exploited?

No confirmed active exploitation of CVE-2018-25378 has been reported, but organizations should still patch proactively.

How to fix CVE-2018-25378?

1. Update Notebook Pro to the latest available version and verify vendor release notes address CWE-789 input length validation. 2. If no patch exists, enforce a policy against opening notebook files received from untrusted or external sources. 3. Implement file-sharing controls that restrict notebook file exchange within AI development teams to verified internal repositories. 4. Enable autosave features where available to minimise data loss from unexpected crashes. 5. Monitor endpoint crash telemetry on data science workstations for repeated Notebook Pro termination events as a potential indicator of targeted abuse.

What systems are affected by CVE-2018-25378?

This vulnerability affects the following AI/ML architecture patterns: AI development environments, notebook-based ML workflows, local data science workstations.

What is the CVSS score for CVE-2018-25378?

CVE-2018-25378 has a CVSS v3.1 base score of 6.2 (MEDIUM).

AI Security Impact

Affected AI Architectures

AI development environmentsnotebook-based ML workflowslocal data science workstations

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0048.003 User Harm

Compliance Controls Affected

ISO 42001: 8.4
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM10:2025

Technical Details

Original Advisory

Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Attackers can create a malicious text file containing 500 or more characters, paste the content into the New Notebook Name field, and trigger an application crash when attempting to create and save the notebook.

Exploitation Scenario

An insider or attacker with local workstation access creates a text file containing 500+ characters and pastes the content into the New Notebook Name field of Notebook Pro 2.0. Alternatively, a socially engineered victim is sent a malicious notebook file with instructions to rename it via the application UI. On attempting to create and save the notebook, the application crashes due to unbounded memory allocation. In a targeted operation against an AI development team during a critical sprint, this could be used as a low-sophistication distraction attack — crashing the tool repeatedly to disrupt productivity, destroy unsaved experiment notes, or create a pretext for gaining further access while the victim troubleshoots the crash.

Weaknesses (CWE)

CWE-789 Primary

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 25, 2026
Last Modified
May 25, 2026
First Seen
May 25, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same attack type: DoS
CRITICAL CVE-2023-25668 9.8

TensorFlow: unauthenticated RCE via heap buffer overflow

Same attack type: DoS
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same attack type: DoS
CRITICAL CVE-2022-35939 9.8

TensorFlow: ScatterNd OOB write enables RCE/crash

Same attack type: DoS
CRITICAL CVE-2022-41900 9.8

TensorFlow: heap OOB RCE in FractionalMaxPool op

Same attack type: DoS
Back to Threat Feed