AI Threat Alert
Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2021-37685 | TensorFlow Lite: OOB read leaks heap memory in expand_dims | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37687 | TFLite: heap OOB read via negative indices in GatherNd | tensorflow | 5.5 |
| HIGH | CVE-2021-41210 | TensorFlow: heap OOB read in SparseCountSparseOutput | tensorflow | 7.1 |
| HIGH | CVE-2021-41211 | TensorFlow: heap OOB read in QuantizeV2 shape inference | tensorflow | 7.1 |
| HIGH | CVE-2021-41212 | TensorFlow: heap OOB read in ragged.cross shape inference | tensorflow | 7.1 |
| HIGH | CVE-2021-41226 | TensorFlow: heap OOB in SparseBinCount, crash/disclosure | tensorflow | 7.1 |
| MEDIUM | CVE-2021-41227 | TensorFlow: OOB read in ImmutableConst leaks memory | tensorflow | 5.5 |
| HIGH | CVE-2022-21726 | TensorFlow: heap OOB read in Dequantize op allows RCE | tensorflow | 8.8 |
| HIGH | CVE-2022-21730 | TensorFlow: OOB read leaks heap memory, enables DoS | tensorflow | 8.1 |
| HIGH | CVE-2022-23560 | TFLite: OOB read/write in sparse tensor → RCE | tensorflow | 8.8 |
| HIGH | CVE-2022-23592 | TensorFlow: heap OOB read in type inference engine | tensorflow | 8.1 |
| CRITICAL | CVE-2022-35937 | TensorFlow: GatherNd OOB read crashes inference servers | tensorflow | 9.1 |
| CRITICAL | CVE-2022-35938 | TensorFlow: OOB read in GatherNd causes crash/data leak | tensorflow | 9.1 |
| CRITICAL | CVE-2022-41880 | TensorFlow: heap OOB read in candidate sampler op | tensorflow | 9.1 |
| CRITICAL | CVE-2022-41902 | TensorFlow Grappler: OOB read/crash via crafted model | tensorflow | 9.1 |
| CRITICAL | CVE-2022-41910 | TensorFlow Grappler: OOB read crashes or leaks memory | tensorflow | 9.1 |
| CRITICAL | CVE-2023-43654 | TorchServe: SSRF + RCE via unrestricted model URL loading | torchserve | 9.8 |
| MEDIUM | CVE-2024-31584 | PyTorch: OOB read in mobile model loader leaks memory | pytorch | 5.5 |
| HIGH | CVE-2024-35199 | TorchServe: default gRPC exposure allows unauth inference | torchserve | 8.2 |
| MEDIUM | CVE-2024-6577 | TorchServe: unverified S3 bucket exposes benchmark data | torchserve | 6.3 |