CVE-2023-30767: TensorFlow buffer overflow enables

CISO Take

Intel's optimized TensorFlow distribution has a buffer overflow enabling local privilege escalation. Primary exposure is on shared ML compute infrastructure — HPC clusters and multi-tenant training nodes — where a low-privileged user could escalate and access other tenants' model weights or training datasets. Patch to Intel Optimization for TensorFlow 2.13.0+ on all shared ML nodes immediately; single-tenant isolated deployments carry lower urgency.

What is the risk?

Effective risk is moderate-low in isolated single-tenant ML environments but escalates materially on shared training infrastructure. CVSS 6.7 reflects high attack complexity (AC:H) and required user interaction (UI:R), significantly reducing opportunistic exploitation likelihood. No public exploits observed and not in CISA KEV. Primary threat profile is an insider or compromised low-privileged account on a shared ML compute node — a realistic scenario in enterprise data science platforms and cloud-based training clusters.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

6.7 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What is the attack surface?

AV Local

AC High

PR Low

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

Upgrade Intel Optimization for TensorFlow to 2.13.0+ on all training and inference nodes immediately.
Inventory all ML infrastructure for Intel-optimized TensorFlow deployments — pay special attention to shared HPC and Kubernetes nodes.
Enforce strict namespace and container isolation on multi-tenant ML clusters to limit privilege escalation blast radius.
Restrict filesystem permissions on model checkpoint directories and training data stores to principle of least privilege.
Monitor for anomalous process spawning from TensorFlow worker processes (unusual child processes, unexpected file access outside workload scope).
Consult Intel SA-00903 for official vendor guidance and any additional mitigations.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity of high-risk AI systems

ISO 42001

A.6.2 - AI system supply chain management

NIST AI RMF

GOVERN-6.1 - AI supply chain transparency and risk management policies MANAGE-2.4 - Remediation of identified AI risks and vulnerabilities

Frequently Asked Questions

What is CVE-2023-30767?

Intel's optimized TensorFlow distribution has a buffer overflow enabling local privilege escalation. Primary exposure is on shared ML compute infrastructure — HPC clusters and multi-tenant training nodes — where a low-privileged user could escalate and access other tenants' model weights or training datasets. Patch to Intel Optimization for TensorFlow 2.13.0+ on all shared ML nodes immediately; single-tenant isolated deployments carry lower urgency.

Is CVE-2023-30767 actively exploited?

No confirmed active exploitation of CVE-2023-30767 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-30767?

1. Upgrade Intel Optimization for TensorFlow to 2.13.0+ on all training and inference nodes immediately. 2. Inventory all ML infrastructure for Intel-optimized TensorFlow deployments — pay special attention to shared HPC and Kubernetes nodes. 3. Enforce strict namespace and container isolation on multi-tenant ML clusters to limit privilege escalation blast radius. 4. Restrict filesystem permissions on model checkpoint directories and training data stores to principle of least privilege. 5. Monitor for anomalous process spawning from TensorFlow worker processes (unusual child processes, unexpected file access outside workload scope). 6. Consult Intel SA-00903 for official vendor guidance and any additional mitigations.

What systems are affected by CVE-2023-30767?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML compute clusters.

What is the CVSS score for CVE-2023-30767?

CVE-2023-30767 has a CVSS v3.1 base score of 6.7 (MEDIUM). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingshared ML compute clusters

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: GOVERN-6.1, MANAGE-2.4

What are the technical details?

Original Advisory

Improper buffer restrictions in Intel(R) Optimization for TensorFlow before version 2.13.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

Exploitation Scenario

A data scientist with a low-privileged account on a shared HPC training node running Intel-optimized TensorFlow triggers the buffer overflow via a crafted input that exploits the improper buffer restrictions during a training operation — requiring interaction from a co-located user (e.g., execution of a shared training script). The memory corruption overwrites security-critical data structures or function pointers within the Intel TF optimization layer, enabling escalation to a higher-privileged process or root. The attacker then pivots to access competing teams' model checkpoints, exfiltrates proprietary training datasets, or injects a backdoored model into a shared registry consumed by downstream production inference pipelines.

Weaknesses (CWE)

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Primary CWE-92 DEPRECATED: Improper Sanitization of Custom Special Characters

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer: The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.