AI Threat Alert

CVE-2018-7575: TensorFlow: buffer overflow, potential RCE in 1.7.x

UNKNOWN
Published April 24, 2019
CISO Take

TensorFlow 1.7.x and earlier contain an integer overflow (CWE-190) that triggers a heap buffer overflow when processing maliciously crafted model or checkpoint files, potentially enabling arbitrary code execution in the TensorFlow process context. Any ML pipeline that loads externally sourced or user-supplied model files on these versions is at direct risk. Upgrade to TensorFlow 1.8.0 or later immediately; treat all model files as untrusted artifacts until provenance is verified.

What is the risk?

Risk is HIGH for organizations still running TensorFlow 1.7.x in production inference or training pipelines. The integer overflow (CWE-190) can be deterministically triggered by crafting a malicious model file, making exploitation reliable rather than probabilistic. However, the vulnerability is dated (2018) and TensorFlow 1.x is broadly EOL, so exposure should be limited to legacy systems. Modern TF deployments are unaffected. Primary concern is ML engineers running old notebooks or legacy batch scoring jobs where version pinning has been neglected.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.5%
chance of exploitation in 30 days
Higher than 38% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

6 steps

  1. Inventory all TensorFlow installations and enforce minimum version 1.8.0 (ideally TF 2.x LTS).

  2. Audit CI/CD pipelines, Jupyter environments, and batch job containers for pinned TF 1.7.x dependencies.

  3. Implement model provenance controls: cryptographic signing of model artifacts, hash verification before loading, and prohibition of loading models from untrusted external sources.

  4. Run TF inference/training processes in sandboxed environments (containers with dropped capabilities, seccomp profiles) to limit RCE blast radius.

  5. Add SAST/SCA scanning for CWE-190 patterns and known-vulnerable TF versions in dependency manifests (requirements.txt, Pipfile, Conda env).

  6. Detection: monitor for unexpected child process spawning or network connections originating from TF worker processes.

How is it classified?

Code Execution Supply Chain Framework Model AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
GOVERN 6.1 - Policies and procedures are in place for supply chain MANAGE 2.2 - Mechanisms to sustain the value of deployed AI with respect to risks
OWASP LLM Top 10
LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2018-7575?

TensorFlow 1.7.x and earlier contain an integer overflow (CWE-190) that triggers a heap buffer overflow when processing maliciously crafted model or checkpoint files, potentially enabling arbitrary code execution in the TensorFlow process context. Any ML pipeline that loads externally sourced or user-supplied model files on these versions is at direct risk. Upgrade to TensorFlow 1.8.0 or later immediately; treat all model files as untrusted artifacts until provenance is verified.

Is CVE-2018-7575 actively exploited?

No confirmed active exploitation of CVE-2018-7575 has been reported, but organizations should still patch proactively.

How to fix CVE-2018-7575?

1. Inventory all TensorFlow installations and enforce minimum version 1.8.0 (ideally TF 2.x LTS). 2. Audit CI/CD pipelines, Jupyter environments, and batch job containers for pinned TF 1.7.x dependencies. 3. Implement model provenance controls: cryptographic signing of model artifacts, hash verification before loading, and prohibition of loading models from untrusted external sources. 4. Run TF inference/training processes in sandboxed environments (containers with dropped capabilities, seccomp profiles) to limit RCE blast radius. 5. Add SAST/SCA scanning for CWE-190 patterns and known-vulnerable TF versions in dependency manifests (requirements.txt, Pipfile, Conda env). 6. Detection: monitor for unexpected child process spawning or network connections originating from TF worker processes.

What systems are affected by CVE-2018-7575?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model registries, batch inference.

What is the CVSS score for CVE-2018-7575?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingmodel registriesbatch inference

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6
NIST AI RMF: GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent.

Exploitation Scenario

An attacker targeting an organization's ML pipeline identifies a model registry or shared artifact store accessible to the training or inference cluster. They upload a maliciously crafted TensorFlow checkpoint file with an integer value that, when processed by the TF 1.7.x parser, overflows and corrupts heap memory adjacent to the loaded buffer. When an ML engineer or automated pipeline loads the checkpoint to resume training, the overflow triggers shellcode execution in the context of the TF process. From there, the attacker pivots to exfiltrate training data, poison future model artifacts, or move laterally within the ML infrastructure. This scenario is especially realistic in organizations that allow data scientists to pull models directly from public repositories without hash verification.

Weaknesses (CWE)

CWE-190 Integer Overflow or Wraparound Primary

CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

  • [Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.

Source: MITRE CWE corpus.

References

Timeline

Published
April 24, 2019
Last Modified
November 21, 2024
First Seen
April 24, 2019

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed