CVE-2023-25670: TensorFlow null ptr DoS

Q: Is CVE-2023-25670 actively exploited?

No confirmed active exploitation of CVE-2023-25670 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2023-25670?

1. Patch: Upgrade TensorFlow to 2.12.0 or 2.11.1 — fixes are confirmed in both branches. 2. Workaround: Set TF_DISABLE_MKL=1 environment variable to disable MKL acceleration if immediate patching is blocked. 3. Network hardening: Ensure model serving endpoints are behind authenticated API gateways; block unauthenticated internet access to TF Serving ports. 4. Detection: Monitor TF serving processes for unexpected crashes or SIGSEGV/SIGABRT signals; alert on abnormal restart frequency. 5. Inventory: Identify all production workloads running TF < 2.12.0 with MKL enabled and quantized MatMul ops.

Q: What systems are affected by CVE-2023-25670?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines.

Q: What is the CVSS score for CVE-2023-25670?

CVE-2023-25670 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.39%.

CISO Take

TensorFlow deployments running quantized models on Intel hardware with MKL acceleration are vulnerable to remote crash via null pointer dereference — no authentication required. Impact is availability only (no data exposure), but a single crafted inference request can take down model serving infrastructure. Patch to TF 2.12.0 or 2.11.1 immediately; if patching is delayed, disable MKL (TF_DISABLE_MKL=1) or remove unauthenticated network access to TF serving endpoints.

What is the risk?

CVSS 7.5 HIGH. Network-exploitable, zero authentication, low attack complexity — any internet-exposed TensorFlow serving endpoint using quantized MKL operations is a viable target. Impact is limited strictly to availability (C:N/I:N/A:H); no data exfiltration risk. Absence from CISA KEV and no confirmed active exploitation reduces urgency slightly, but the trivial network path and zero-auth requirement warrant prompt remediation for any production inference infrastructure.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 31% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: Upgrade TensorFlow to 2.12.0 or 2.11.1 — fixes are confirmed in both branches.
Workaround: Set TF_DISABLE_MKL=1 environment variable to disable MKL acceleration if immediate patching is blocked.
Network hardening: Ensure model serving endpoints are behind authenticated API gateways; block unauthenticated internet access to TF Serving ports.
Detection: Monitor TF serving processes for unexpected crashes or SIGSEGV/SIGABRT signals; alert on abnormal restart frequency.
Inventory: Identify all production workloads running TF < 2.12.0 with MKL enabled and quantized MatMul ops.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

8.4 - AI System Operation

NIST AI RMF

MANAGE-2.2 - Mechanisms to respond to and recover from AI risks

Frequently Asked Questions

What is CVE-2023-25670?

TensorFlow deployments running quantized models on Intel hardware with MKL acceleration are vulnerable to remote crash via null pointer dereference — no authentication required. Impact is availability only (no data exposure), but a single crafted inference request can take down model serving infrastructure. Patch to TF 2.12.0 or 2.11.1 immediately; if patching is delayed, disable MKL (TF_DISABLE_MKL=1) or remove unauthenticated network access to TF serving endpoints.

Is CVE-2023-25670 actively exploited?

No confirmed active exploitation of CVE-2023-25670 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25670?

1. Patch: Upgrade TensorFlow to 2.12.0 or 2.11.1 — fixes are confirmed in both branches. 2. Workaround: Set TF_DISABLE_MKL=1 environment variable to disable MKL acceleration if immediate patching is blocked. 3. Network hardening: Ensure model serving endpoints are behind authenticated API gateways; block unauthenticated internet access to TF Serving ports. 4. Detection: Monitor TF serving processes for unexpected crashes or SIGSEGV/SIGABRT signals; alert on abnormal restart frequency. 5. Inventory: Identify all production workloads running TF < 2.12.0 with MKL enabled and quantized MatMul ops.

What systems are affected by CVE-2023-25670?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines.

What is the CVSS score for CVE-2023-25670?

CVE-2023-25670 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.39%.

What is the AI security impact?

Affected AI Architectures

model servinginference pipelinestraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.4

NIST AI RMF: MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An adversary enumerates a publicly exposed TensorFlow Serving REST or gRPC endpoint — detectable via metadata APIs, error messages, or banner grabbing. Knowing the target runs a quantized model on Intel hardware (inferable from response latency patterns or model card disclosures), they craft an inference request with tensor shapes or values that trigger the null pointer dereference path in QuantizedMatMulWithBiasAndDequantize. No credentials are needed. The TF worker process crashes, causing API downtime. For a SaaS AI product this means user-facing outage and SLA breach; repeated requests prevent automatic recovery.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference Primary CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

[Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
[Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.