AI Threat Alert

CVE-2018-7577: TensorFlow: Snappy memcpy overlap crash/mem disclosure

UNKNOWN
Published April 24, 2019
CISO Take

TensorFlow deployments prior to 1.7.1 are vulnerable to a memory safety bug in the bundled Snappy compression library that can crash the process or leak memory contents. Any legacy TF inference server or training pipeline still on TF <1.7.1 should be treated as a priority upgrade — the attack surface is any code path that decompresses Snappy-encoded data (TFRecords, checkpoints, protocol buffers). Modern TF deployments (1.7.1+) are not affected; audit your model-serving and data-pipeline containers for pinned legacy versions.

What is the risk?

Risk is LOW for organizations running current TensorFlow versions but HIGH for legacy deployments common in long-lived ML infrastructure. No CVSS score is officially assigned, but the underlying flaw (CWE-20 improper input validation leading to overlapping memcpy) is well-understood and exploitable by crafting malicious compressed input. The memory-read primitive is the more dangerous outcome — it could expose training data, model weights, or credentials resident in process memory. Crash-based DoS is trivially achievable. The 2019 publish date means many organizations may have silently carried this in containerized ML workloads never upgraded past TF 1.x.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
snappy No patch

How severe is it?

CVSS 3.1
N/A
EPSS
0.4%
chance of exploitation in 30 days
Higher than 34% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

5 steps

  1. PATCH

    Upgrade TensorFlow to >= 1.7.1 immediately on all inference servers, training workers, and notebook environments.

  2. AUDIT

    Inventory all containers and VMs with pinned TF 1.x versions — check Dockerfile FROM lines and requirements.txt/environment.yml files.

  3. ISOLATION

    If upgrade is not immediately possible, ensure TF serving endpoints do not accept externally-supplied compressed payloads directly; add input validation at the API gateway layer.

  4. DETECT

    Monitor for unexpected process crashes in TF serving pods — repeated crashes of ML serving containers may indicate exploitation attempts.

  5. SBOM

    Validate that no internal ML platform bundles Snappy 1.1.4 as a transitive dependency outside of TF (e.g., Apache Arrow, LevelDB wrappers).

How is it classified?

DoS Data Extraction Supply Chain Framework Training Data Inference AML.T0010.001 AML.T0035 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
8.4 - AI system risk management
NIST AI RMF
GOVERN-1.7 - Processes for AI risk identification and tracking MANAGE-2.2 - Mechanisms to sustain oversight of AI risks
OWASP LLM Top 10
LLM06:2025 - Excessive Agency / Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2018-7577?

TensorFlow deployments prior to 1.7.1 are vulnerable to a memory safety bug in the bundled Snappy compression library that can crash the process or leak memory contents. Any legacy TF inference server or training pipeline still on TF <1.7.1 should be treated as a priority upgrade — the attack surface is any code path that decompresses Snappy-encoded data (TFRecords, checkpoints, protocol buffers). Modern TF deployments (1.7.1+) are not affected; audit your model-serving and data-pipeline containers for pinned legacy versions.

Is CVE-2018-7577 actively exploited?

No confirmed active exploitation of CVE-2018-7577 has been reported, but organizations should still patch proactively.

How to fix CVE-2018-7577?

1. PATCH: Upgrade TensorFlow to >= 1.7.1 immediately on all inference servers, training workers, and notebook environments. 2. AUDIT: Inventory all containers and VMs with pinned TF 1.x versions — check Dockerfile FROM lines and requirements.txt/environment.yml files. 3. ISOLATION: If upgrade is not immediately possible, ensure TF serving endpoints do not accept externally-supplied compressed payloads directly; add input validation at the API gateway layer. 4. DETECT: Monitor for unexpected process crashes in TF serving pods — repeated crashes of ML serving containers may indicate exploitation attempts. 5. SBOM: Validate that no internal ML platform bundles Snappy 1.1.4 as a transitive dependency outside of TF (e.g., Apache Arrow, LevelDB wrappers).

What systems are affected by CVE-2018-7577?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data ingestion pipelines, distributed training.

What is the CVSS score for CVE-2018-7577?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingdata ingestion pipelinesdistributed training

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

ISO 42001: 8.4
NIST AI RMF: GOVERN-1.7, MANAGE-2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.

Exploitation Scenario

An adversary with access to a TensorFlow model-serving endpoint or a data ingestion pipeline (e.g., a TFRecord upload endpoint) crafts a maliciously overlapping Snappy-compressed payload. When the TF process decompresses this input, the memcpy overlap triggers either a segfault (crashing the serving pod, causing service disruption) or returns memory from adjacent process regions. In a training pipeline scenario, an attacker who can inject poisoned TFRecord files into a shared data lake could trigger the vulnerability during the data-loading phase, potentially reading batch data or model state from memory. In a serving scenario, a single malformed inference request could be sufficient to crash or read memory from a multi-tenant TF Serving instance.

Weaknesses (CWE)

CWE-20 Improper Input Validation Primary

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
  • [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.

References

Timeline

Published
April 24, 2019
Last Modified
November 21, 2024
First Seen
April 24, 2019

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed