CVE-2018-7575 — UNKNOWN AI Security Vulnerability

CISO Take

TensorFlow 1.7.x and earlier contain an integer overflow (CWE-190) that triggers a heap buffer overflow when processing maliciously crafted model or checkpoint files, potentially enabling arbitrary code execution in the TensorFlow process context. Any ML pipeline that loads externally sourced or user-supplied model files on these versions is at direct risk. Upgrade to TensorFlow 1.8.0 or later immediately; treat all model files as untrusted artifacts until provenance is verified.

Risk Assessment

Risk is HIGH for organizations still running TensorFlow 1.7.x in production inference or training pipelines. The integer overflow (CWE-190) can be deterministically triggered by crafting a malicious model file, making exploitation reliable rather than probabilistic. However, the vulnerability is dated (2018) and TensorFlow 1.x is broadly EOL, so exposure should be limited to legacy systems. Modern TF deployments are unaffected. Primary concern is ML engineers running old notebooks or legacy batch scoring jobs where version pinning has been neglected.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.2%

chance of exploitation in 30 days

Higher than 39% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

6 steps

Inventory all TensorFlow installations and enforce minimum version 1.8.0 (ideally TF 2.x LTS).
Audit CI/CD pipelines, Jupyter environments, and batch job containers for pinned TF 1.7.x dependencies.
Implement model provenance controls: cryptographic signing of model artifacts, hash verification before loading, and prohibition of loading models from untrusted external sources.
Run TF inference/training processes in sandboxed environments (containers with dropped capabilities, seccomp profiles) to limit RCE blast radius.
Add SAST/SCA scanning for CWE-190 patterns and known-vulnerable TF versions in dependency manifests (requirements.txt, Pipfile, Conda env).
Detection: monitor for unexpected child process spawning or network connections originating from TF worker processes.

Classification

Code Execution Supply Chain Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for supply chain MANAGE 2.2 - Mechanisms to sustain the value of deployed AI with respect to risks

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2018-7575?

TensorFlow 1.7.x and earlier contain an integer overflow (CWE-190) that triggers a heap buffer overflow when processing maliciously crafted model or checkpoint files, potentially enabling arbitrary code execution in the TensorFlow process context. Any ML pipeline that loads externally sourced or user-supplied model files on these versions is at direct risk. Upgrade to TensorFlow 1.8.0 or later immediately; treat all model files as untrusted artifacts until provenance is verified.

Is CVE-2018-7575 actively exploited?

No confirmed active exploitation of CVE-2018-7575 has been reported, but organizations should still patch proactively.

How to fix CVE-2018-7575?

1. Inventory all TensorFlow installations and enforce minimum version 1.8.0 (ideally TF 2.x LTS). 2. Audit CI/CD pipelines, Jupyter environments, and batch job containers for pinned TF 1.7.x dependencies. 3. Implement model provenance controls: cryptographic signing of model artifacts, hash verification before loading, and prohibition of loading models from untrusted external sources. 4. Run TF inference/training processes in sandboxed environments (containers with dropped capabilities, seccomp profiles) to limit RCE blast radius. 5. Add SAST/SCA scanning for CWE-190 patterns and known-vulnerable TF versions in dependency manifests (requirements.txt, Pipfile, Conda env). 6. Detection: monitor for unexpected child process spawning or network connections originating from TF worker processes.

What systems are affected by CVE-2018-7575?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model registries, batch inference.

What is the CVSS score for CVE-2018-7575?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent.

Exploitation Scenario

An attacker targeting an organization's ML pipeline identifies a model registry or shared artifact store accessible to the training or inference cluster. They upload a maliciously crafted TensorFlow checkpoint file with an integer value that, when processed by the TF 1.7.x parser, overflows and corrupts heap memory adjacent to the loaded buffer. When an ML engineer or automated pipeline loads the checkpoint to resume training, the overflow triggers shellcode execution in the context of the TF process. From there, the attacker pivots to exfiltrate training data, poison future model artifacts, or move laterally within the ML infrastructure. This scenario is especially realistic in organizations that allow data scientists to pull models directly from public repositories without hash verification.