AI Threat Alert AI Threat Alert

CVE-2018-7576: TensorFlow: NPD in 1.6.x crashes ML runtime

UNKNOWN
Published April 23, 2019
CISO Take

This 2018 null pointer dereference in TensorFlow 1.6.x primarily enables denial-of-service against ML training and serving infrastructure. Virtually all production environments should have upgraded far past 1.6.x — but audit legacy ML pipelines, research environments, and vendor-supplied ML appliances that may embed old TensorFlow versions. If still exposed, upgrade immediately; there is no workaround.

Risk Assessment

Low residual risk for most organizations given the age and version specificity. TensorFlow 1.6.x has been EOL for years, and no CVSS score was assigned, indicating limited formal tracking. Exploitation is context-dependent — an attacker needs the ability to supply crafted inputs to the TensorFlow runtime. No known active exploitation, no KEV inclusion. The greatest residual risk lies in legacy ML infrastructure, long-running research clusters, or vendor-supplied ML platforms that may pin old dependency versions.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.1%
chance of exploitation in 30 days
Higher than 29% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Recommended Action

6 steps

  1. Audit all ML infrastructure, base container images, and vendor-supplied platforms for TensorFlow version.

  2. Upgrade to TensorFlow 2.x LTS or latest stable (2.16+).

  3. Enforce minimum TensorFlow version in CI/CD pipelines and container registries via policy gates.

  4. If immediate upgrade is not feasible, restrict network access to TensorFlow Serving endpoints and implement strict input validation at the API boundary.

  5. Scan ML platform dependencies and Jupyter/notebook environments — these often lag on framework updates.

  6. No known workaround beyond version upgrade.

Classification

DoS Code Execution Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.6.2.6 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to inventory AI risks based on assessments and organizational risk tolerance
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2018-7576?

This 2018 null pointer dereference in TensorFlow 1.6.x primarily enables denial-of-service against ML training and serving infrastructure. Virtually all production environments should have upgraded far past 1.6.x — but audit legacy ML pipelines, research environments, and vendor-supplied ML appliances that may embed old TensorFlow versions. If still exposed, upgrade immediately; there is no workaround.

Is CVE-2018-7576 actively exploited?

No confirmed active exploitation of CVE-2018-7576 has been reported, but organizations should still patch proactively.

How to fix CVE-2018-7576?

1. Audit all ML infrastructure, base container images, and vendor-supplied platforms for TensorFlow version. 2. Upgrade to TensorFlow 2.x LTS or latest stable (2.16+). 3. Enforce minimum TensorFlow version in CI/CD pipelines and container registries via policy gates. 4. If immediate upgrade is not feasible, restrict network access to TensorFlow Serving endpoints and implement strict input validation at the API boundary. 5. Scan ML platform dependencies and Jupyter/notebook environments — these often lag on framework updates. 6. No known workaround beyond version upgrade.

What systems are affected by CVE-2018-7576?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ml development environments.

What is the CVSS score for CVE-2018-7576?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.

Exploitation Scenario

An adversary with access to a model serving API submits a specially crafted tensor or malformed operation graph that triggers the null pointer dereference in the TensorFlow 1.6.x runtime, crashing the serving process and causing denial of service. Alternatively, in an automated ML training pipeline that ingests external datasets, a poisoned data sample could trigger the crash during graph execution, aborting the training job. Either path requires only knowledge of the TensorFlow API surface — no ML expertise needed.

Weaknesses (CWE)

CWE-476 Primary

References

Timeline

Published
April 23, 2019
Last Modified
November 21, 2024
First Seen
April 23, 2019

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed