AI Threat Alert
CVE-2019-9635: TensorFlow: NULL ptr deref DoS via malformed GIF input
UNKNOWN PoC AVAILABLEThis 2019 vulnerability allows an attacker to crash TensorFlow processes by submitting a malformed GIF file, resulting in denial of service to any image-processing ML pipeline. Any TensorFlow deployment below 1.12.2 handling image inputs should be patched immediately — though in 2026 this should already be resolved in any maintained environment. Verify your TensorFlow versions across inference infrastructure and ensure input validation exists at API boundaries.
What is the risk?
Low-to-medium risk in current environments. The vulnerability is limited to availability impact (DoS) with no code execution or data exfiltration component. Exploitability is trivial — a single malformed GIF triggers the crash. Primary concern is in production inference APIs accepting unvalidated image uploads; a crash loop could degrade ML service availability. Any TensorFlow version >= 1.12.2 is not affected. Given the age (2019) and public patch availability, residual risk exists only in legacy or unpatched deployments.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What should I do?
6 steps-
Patch: Upgrade TensorFlow to 1.12.2 or later immediately.
-
Input validation: Implement server-side validation of uploaded files — verify magic bytes, reject malformed images before passing to TensorFlow.
-
Process isolation: Run inference workers in isolated containers/processes with automatic restart policies to minimize DoS window.
-
Rate limiting: Apply rate limits on image upload endpoints to reduce crash-loop exploitation.
-
Detection: Monitor for abnormal TensorFlow process termination events and correlate with incoming request payloads.
-
Inventory: Audit all TensorFlow versions across inference servers, training infrastructure, and CI/CD pipelines.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2019-9635?
This 2019 vulnerability allows an attacker to crash TensorFlow processes by submitting a malformed GIF file, resulting in denial of service to any image-processing ML pipeline. Any TensorFlow deployment below 1.12.2 handling image inputs should be patched immediately — though in 2026 this should already be resolved in any maintained environment. Verify your TensorFlow versions across inference infrastructure and ensure input validation exists at API boundaries.
Is CVE-2019-9635 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2019-9635, increasing the risk of exploitation.
How to fix CVE-2019-9635?
1. Patch: Upgrade TensorFlow to 1.12.2 or later immediately. 2. Input validation: Implement server-side validation of uploaded files — verify magic bytes, reject malformed images before passing to TensorFlow. 3. Process isolation: Run inference workers in isolated containers/processes with automatic restart policies to minimize DoS window. 4. Rate limiting: Apply rate limits on image upload endpoints to reduce crash-loop exploitation. 5. Detection: Monitor for abnormal TensorFlow process termination events and correlate with incoming request payloads. 6. Inventory: Audit all TensorFlow versions across inference servers, training infrastructure, and CI/CD pipelines.
What systems are affected by CVE-2019-9635?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference endpoints.
What is the CVSS score for CVE-2019-9635?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0043 Craft Adversarial Data AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file.
Exploitation Scenario
An adversary targeting an organization's image classification API (e.g., a content moderation or medical imaging service powered by TensorFlow) crafts or obtains a malformed GIF file that triggers the NULL pointer dereference. They submit this file via the public-facing upload endpoint. The TensorFlow process crashes, taking down the inference service. If the service lacks automatic restart or circuit-breaking logic, this results in sustained unavailability. The attacker can automate repeated submissions to maintain the DoS state, disrupting business operations dependent on the ML service.
Weaknesses (CWE)
CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.
- [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
- [Requirements] Select a programming language that is not susceptible to these issues.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow