AI Threat Alert AI Threat Alert

CVE-2019-9635: TensorFlow: NULL ptr deref DoS via malformed GIF input

UNKNOWN PoC AVAILABLE
Published April 24, 2019
CISO Take

This 2019 vulnerability allows an attacker to crash TensorFlow processes by submitting a malformed GIF file, resulting in denial of service to any image-processing ML pipeline. Any TensorFlow deployment below 1.12.2 handling image inputs should be patched immediately — though in 2026 this should already be resolved in any maintained environment. Verify your TensorFlow versions across inference infrastructure and ensure input validation exists at API boundaries.

Risk Assessment

Low-to-medium risk in current environments. The vulnerability is limited to availability impact (DoS) with no code execution or data exfiltration component. Exploitability is trivial — a single malformed GIF triggers the crash. Primary concern is in production inference APIs accepting unvalidated image uploads; a crash loop could degrade ML service availability. Any TensorFlow version >= 1.12.2 is not affected. Given the age (2019) and public patch availability, residual risk exists only in legacy or unpatched deployments.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.1%
chance of exploitation in 30 days
Higher than 30% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

6 steps

  1. Patch: Upgrade TensorFlow to 1.12.2 or later immediately.

  2. Input validation: Implement server-side validation of uploaded files — verify magic bytes, reject malformed images before passing to TensorFlow.

  3. Process isolation: Run inference workers in isolated containers/processes with automatic restart policies to minimize DoS window.

  4. Rate limiting: Apply rate limits on image upload endpoints to reduce crash-loop exploitation.

  5. Detection: Monitor for abnormal TensorFlow process termination events and correlate with incoming request payloads.

  6. Inventory: Audit all TensorFlow versions across inference servers, training infrastructure, and CI/CD pipelines.

Classification

DoS Framework Inference AML.T0029 AML.T0043 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system operation and monitoring
NIST AI RMF
RES-1.1 - Resilience — AI system reliability under adverse conditions
OWASP LLM Top 10
LLM10 - Model Denial of Service

Frequently Asked Questions

What is CVE-2019-9635?

This 2019 vulnerability allows an attacker to crash TensorFlow processes by submitting a malformed GIF file, resulting in denial of service to any image-processing ML pipeline. Any TensorFlow deployment below 1.12.2 handling image inputs should be patched immediately — though in 2026 this should already be resolved in any maintained environment. Verify your TensorFlow versions across inference infrastructure and ensure input validation exists at API boundaries.

Is CVE-2019-9635 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2019-9635, increasing the risk of exploitation.

How to fix CVE-2019-9635?

1. Patch: Upgrade TensorFlow to 1.12.2 or later immediately. 2. Input validation: Implement server-side validation of uploaded files — verify magic bytes, reject malformed images before passing to TensorFlow. 3. Process isolation: Run inference workers in isolated containers/processes with automatic restart policies to minimize DoS window. 4. Rate limiting: Apply rate limits on image upload endpoints to reduce crash-loop exploitation. 5. Detection: Monitor for abnormal TensorFlow process termination events and correlate with incoming request payloads. 6. Inventory: Audit all TensorFlow versions across inference servers, training infrastructure, and CI/CD pipelines.

What systems are affected by CVE-2019-9635?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference endpoints.

What is the CVSS score for CVE-2019-9635?

No CVSS score has been assigned yet.

Technical Details

NVD Description

NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file.

Exploitation Scenario

An adversary targeting an organization's image classification API (e.g., a content moderation or medical imaging service powered by TensorFlow) crafts or obtains a malformed GIF file that triggers the NULL pointer dereference. They submit this file via the public-facing upload endpoint. The TensorFlow process crashes, taking down the inference service. If the service lacks automatic restart or circuit-breaking logic, this results in sustained unavailability. The attacker can automate repeated submissions to maintain the DoS state, disrupting business operations dependent on the ML service.

Weaknesses (CWE)

CWE-476 Primary

References

Timeline

Published
April 24, 2019
Last Modified
November 21, 2024
First Seen
April 24, 2019

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed