AI Threat Alert
DoS
Denial of service is cheap against AI systems because inference is expensive. A single request asking for a very long context, a recursive thinking pattern, or a maximally complex tokenization ("unicode bombs") can consume seconds of GPU time. Agent frameworks add a more dangerous variant: a prompt that tricks the agent into invoking itself or another expensive tool in a loop, fanning out until the budget is exhausted. For paid model APIs, the same attack is also a financial denial of service — the attacker doesn't take the service down, they run up the bill. We have seen production CVEs of all three shapes in inference servers (vLLM, TGI), agent frameworks (LangChain, AutoGen), and applications using third-party LLM APIs without per-tenant budget caps. Defenses: per-request token and time limits, per-tenant compute and budget quotas, depth limits on agent recursion, and circuit breakers on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2021-29548 | TensorFlow: DoS via division by zero in QuantizedBatchNorm | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29549 | TensorFlow: divide-by-zero DoS in quantized batch norm op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29550 | TensorFlow: FractionalAvgPool DoS via divide-by-zero | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29551 | TensorFlow: OOB read DoS in MatrixTriangularSolve kernel | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29552 | TensorFlow: DoS via empty num_segments tensor assertion | tensorflow | 5.5 |
| HIGH | CVE-2021-29553 | TensorFlow: heap OOB read via malicious axis in quant op | tensorflow | 7.1 |
| MEDIUM | CVE-2021-29555 | TensorFlow: FusedBatchNorm divide-by-zero crashes ML jobs | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29556 | TensorFlow: DoS via divide-by-zero in Reverse op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29557 | TensorFlow: FPE in SparseMatMul causes process DoS | tensorflow | 5.5 |
| HIGH | CVE-2021-29559 | TensorFlow: heap OOB read in UnicodeEncode leaks memory | tensorflow | 7.1 |
| HIGH | CVE-2021-29560 | TensorFlow: heap OOB in RaggedTensorToTensor op | tensorflow | 7.1 |
| MEDIUM | CVE-2021-29561 | TensorFlow: DoS via malformed LoadAndRemapMatrix input | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29562 | TensorFlow: assertion failure DoS in IRFFT op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29563 | TensorFlow: DoS via RFFT empty matrix assertion crash | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29564 | TensorFlow: null ptr deref DoS in EditDistance op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29565 | TensorFlow: null ptr dereference crashes sparse ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29567 | TensorFlow: DoS via SparseDenseCwiseMul OOB | tensorflow | 5.5 |
| HIGH | CVE-2021-29568 | TensorFlow: null deref in ParameterizedTruncatedNormal op | tensorflow | 7.8 |
| HIGH | CVE-2021-29569 | TensorFlow: OOB heap read in MaxPoolGradWithArgmax op | tensorflow | 7.1 |
| HIGH | CVE-2021-29570 | TensorFlow: OOB read in MaxPoolGradWithArgmax op | tensorflow | 7.1 |