CVE-2018-8825: TensorFlow Buffer overflow enables

CISO Take

TensorFlow versions 1.5.0–1.7.0 contain a memory buffer overflow (CWE-119) that allows arbitrary code execution when processing a maliciously crafted model or input tensor. Any ML pipeline still running TensorFlow below 1.7.1 is directly exposed—including training jobs, inference servers, and development environments. Upgrade to TensorFlow 1.7.1+ immediately; given TF 1.x is EOL, migration to TF 2.x is the definitive fix.

What is the risk?

High severity on paper (CVSS 8.8) but low active exploitation risk (EPSS 0.00245, not in CISA KEV). The network attack vector with required user interaction means exploitation is targeted rather than opportunistic—the most credible threat is an adversary planting a malicious model artifact in a shared repository or supply chain that a developer subsequently loads. TF 1.x is now EOL, reducing the active install base, but legacy ML environments and data science notebooks are frequently left unpatched, keeping the attack surface real in brownfield deployments.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
TensorFlow	pip	>= 1.5.0, < 1.7.1	`1.7.1`
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
TensorFlow	pip	>= 1.5.0, < 1.7.1	`1.7.1`
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 46% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch: Upgrade to tensorflow/tensorflow-gpu >= 1.7.1 via pip; migrate to TF 2.x given TF 1.x EOL status.
Detect: Run 'pip-audit' or 'safety check' against all Python environments; scan container images and MLflow/Kubeflow artifact stores for the affected version range.
Restrict model sources: Enforce allow-lists for model loading—do not pull models from unverified external registries or user-submitted sources.
Sandbox: Run all model loading and training jobs in isolated containers with least-privilege IAM roles to limit blast radius.
Monitor: Alert on unexpected outbound connections or credential access from ML worker processes.

How is it classified?

Code Execution Supply Chain Framework Inference Model AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.6 - AI System Security

NIST AI RMF

GOVERN 1.7 - AI Risk Monitoring Processes MANAGE 2.2 - Risk Treatment and Response

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2018-8825?

TensorFlow versions 1.5.0–1.7.0 contain a memory buffer overflow (CWE-119) that allows arbitrary code execution when processing a maliciously crafted model or input tensor. Any ML pipeline still running TensorFlow below 1.7.1 is directly exposed—including training jobs, inference servers, and development environments. Upgrade to TensorFlow 1.7.1+ immediately; given TF 1.x is EOL, migration to TF 2.x is the definitive fix.

Is CVE-2018-8825 actively exploited?

No confirmed active exploitation of CVE-2018-8825 has been reported, but organizations should still patch proactively.

How to fix CVE-2018-8825?

1. Patch: Upgrade to tensorflow/tensorflow-gpu >= 1.7.1 via pip; migrate to TF 2.x given TF 1.x EOL status. 2. Detect: Run 'pip-audit' or 'safety check' against all Python environments; scan container images and MLflow/Kubeflow artifact stores for the affected version range. 3. Restrict model sources: Enforce allow-lists for model loading—do not pull models from unverified external registries or user-submitted sources. 4. Sandbox: Run all model loading and training jobs in isolated containers with least-privilege IAM roles to limit blast radius. 5. Monitor: Alert on unexpected outbound connections or credential access from ML worker processes.

What systems are affected by CVE-2018-8825?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, batch inference, ML development environments, CI/CD model validation pipelines.

What is the CVSS score for CVE-2018-8825?

CVE-2018-8825 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.65%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingbatch inferenceML development environmentsCI/CD model validation pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local).

Exploitation Scenario

An adversary crafts a malicious TensorFlow SavedModel or .pb graph file that embeds a payload triggering the buffer overflow on graph deserialization. The model is uploaded to a public repository (e.g., a GitHub repo, legacy TF Hub mirror, or shared S3 bucket) with a convincing README claiming it is a fine-tuned ResNet or BERT variant. A data scientist at the target organization downloads and loads the model for evaluation using tf.saved_model.load() or tf.train.import_meta_graph(). The overflow fires during graph loading, executing shellcode under the ML worker's process permissions—giving the attacker access to training datasets, environment variables containing AWS/GCP credentials, and potentially a foothold into the broader MLOps infrastructure.

Weaknesses (CWE)

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Primary CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Primary

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer: The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.