AI Threat Alert AI Threat Alert

CVE-2023-25670: TensorFlow: null ptr DoS in quantized MKL MatMul

HIGH
Published March 25, 2023
CISO Take

TensorFlow deployments running quantized models on Intel hardware with MKL acceleration are vulnerable to remote crash via null pointer dereference — no authentication required. Impact is availability only (no data exposure), but a single crafted inference request can take down model serving infrastructure. Patch to TF 2.12.0 or 2.11.1 immediately; if patching is delayed, disable MKL (TF_DISABLE_MKL=1) or remove unauthenticated network access to TF serving endpoints.

Risk Assessment

CVSS 7.5 HIGH. Network-exploitable, zero authentication, low attack complexity — any internet-exposed TensorFlow serving endpoint using quantized MKL operations is a viable target. Impact is limited strictly to availability (C:N/I:N/A:H); no data exfiltration risk. Absence from CISA KEV and no confirmed active exploitation reduces urgency slightly, but the trivial network path and zero-auth requirement warrant prompt remediation for any production inference infrastructure.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 47% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Patch: Upgrade TensorFlow to 2.12.0 or 2.11.1 — fixes are confirmed in both branches.

  2. Workaround: Set TF_DISABLE_MKL=1 environment variable to disable MKL acceleration if immediate patching is blocked.

  3. Network hardening: Ensure model serving endpoints are behind authenticated API gateways; block unauthenticated internet access to TF Serving ports.

  4. Detection: Monitor TF serving processes for unexpected crashes or SIGSEGV/SIGABRT signals; alert on abnormal restart frequency.

  5. Inventory: Identify all production workloads running TF < 2.12.0 with MKL enabled and quantized MatMul ops.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
8.4 - AI System Operation
NIST AI RMF
MANAGE-2.2 - Mechanisms to respond to and recover from AI risks

Frequently Asked Questions

What is CVE-2023-25670?

TensorFlow deployments running quantized models on Intel hardware with MKL acceleration are vulnerable to remote crash via null pointer dereference — no authentication required. Impact is availability only (no data exposure), but a single crafted inference request can take down model serving infrastructure. Patch to TF 2.12.0 or 2.11.1 immediately; if patching is delayed, disable MKL (TF_DISABLE_MKL=1) or remove unauthenticated network access to TF serving endpoints.

Is CVE-2023-25670 actively exploited?

No confirmed active exploitation of CVE-2023-25670 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25670?

1. Patch: Upgrade TensorFlow to 2.12.0 or 2.11.1 — fixes are confirmed in both branches. 2. Workaround: Set TF_DISABLE_MKL=1 environment variable to disable MKL acceleration if immediate patching is blocked. 3. Network hardening: Ensure model serving endpoints are behind authenticated API gateways; block unauthenticated internet access to TF Serving ports. 4. Detection: Monitor TF serving processes for unexpected crashes or SIGSEGV/SIGABRT signals; alert on abnormal restart frequency. 5. Inventory: Identify all production workloads running TF < 2.12.0 with MKL enabled and quantized MatMul ops.

What systems are affected by CVE-2023-25670?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines.

What is the CVSS score for CVE-2023-25670?

CVE-2023-25670 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.24%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a null point error in QuantizedMatMulWithBiasAndDequantize with MKL enabled. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An adversary enumerates a publicly exposed TensorFlow Serving REST or gRPC endpoint — detectable via metadata APIs, error messages, or banner grabbing. Knowing the target runs a quantized model on Intel hardware (inferable from response latency patterns or model card disclosures), they craft an inference request with tensor shapes or values that trigger the null pointer dereference path in QuantizedMatMulWithBiasAndDequantize. No credentials are needed. The TF worker process crashes, causing API downtime. For a SaaS AI product this means user-facing outage and SLA breach; repeated requests prevent automatic recovery.

Weaknesses (CWE)

CWE-476 Primary CWE-476

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
March 25, 2023
Last Modified
November 21, 2024
First Seen
March 25, 2023

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed