AI Threat Alert
DoS
Denial of service is cheap against AI systems because inference is expensive. A single request asking for a very long context, a recursive thinking pattern, or a maximally complex tokenization ("unicode bombs") can consume seconds of GPU time. Agent frameworks add a more dangerous variant: a prompt that tricks the agent into invoking itself or another expensive tool in a loop, fanning out until the budget is exhausted. For paid model APIs, the same attack is also a financial denial of service — the attacker doesn't take the service down, they run up the bill. We have seen production CVEs of all three shapes in inference servers (vLLM, TGI), agent frameworks (LangChain, AutoGen), and applications using third-party LLM APIs without per-tenant budget caps. Defenses: per-request token and time limits, per-tenant compute and budget quotas, depth limits on agent recursion, and circuit breakers on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2020-15207 | TFLite: OOB write via unchecked negative axis index | tensorflow | 9.0 |
| MEDIUM | CVE-2020-15209 | TensorFlow Lite: null ptr deref crashes model inference | tensorflow | 5.9 |
| MEDIUM | CVE-2020-15210 | TensorFlow Lite: memory corruption via aliased tensors | tensorflow | 6.5 |
| MEDIUM | CVE-2020-15213 | TensorFlow Lite: OOM DoS via crafted segment sum model | tensorflow | 4.0 |
| HIGH | CVE-2020-15214 | TensorFlow Lite: OOB write in segment sum, memory corruption risk | tensorflow | 8.1 |
| HIGH | CVE-2020-15265 | TensorFlow: OOB read DoS via invalid quantize axis | tensorflow | 7.5 |
| HIGH | CVE-2020-15266 | TensorFlow: NaN-triggered DoS in crop_and_resize op | tensorflow | 7.5 |
| HIGH | CVE-2020-26267 | TensorFlow: OOB read in DataFormatVecPermute op | tensorflow | 7.8 |
| MEDIUM | CVE-2020-26268 | TensorFlow: ImmutableConst segfault crashes Python interpreter | tensorflow | 4.4 |
| HIGH | CVE-2020-26269 | TensorFlow: OOB read in glob path matching causes DoS | tensorflow | 7.5 |
| LOW | CVE-2020-26270 | TensorFlow: DoS via zero-length input to LSTM/GRU on CUDA | tensorflow | 3.3 |
| MEDIUM | CVE-2021-29554 | TensorFlow: divide-by-zero DoS in DenseCountSparseOutput | tensorflow | 5.5 |
| HIGH | CVE-2021-29513 | TensorFlow: type confusion → null ptr deref (CVSS 7.8) | tensorflow | 7.8 |
| HIGH | CVE-2021-29515 | TensorFlow: NULL ptr deref in MatrixDiag ops (crash/RCE) | tensorflow | 7.8 |
| MEDIUM | CVE-2021-29516 | TensorFlow: null ptr deref crashes RaggedTensor ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29517 | TensorFlow: Conv3D div-by-zero crashes ML processes | tensorflow | 5.5 |
| HIGH | CVE-2021-29518 | TensorFlow: null ptr deref in session ops, local RCE | tensorflow | 7.8 |
| MEDIUM | CVE-2021-29519 | TensorFlow SparseCross: type confusion DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29521 | TensorFlow: DoS crash via negative sparse tensor shape | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29522 | TensorFlow: Conv3DBackprop div-by-zero crashes training | tensorflow | 5.5 |