Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2022-36012 | TensorFlow: DoS via empty MLIR function attributes | tensorflow | 7.5 |
| HIGH | CVE-2022-36013 | TensorFlow MLIR: null ptr deref crashes model serving | tensorflow | 7.5 |
| HIGH | CVE-2022-36014 | TensorFlow: null ptr dereference in MLIR causes remote DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-36015 | TensorFlow: integer overflow in RangeSize causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-36016 | TensorFlow: CHECK-fail assertion crashes model serving | tensorflow | 7.5 |
| HIGH | CVE-2022-36017 | TensorFlow: DoS via malformed Requantize tensors | tensorflow | 7.5 |
| HIGH | CVE-2022-36027 | TensorFlow: DoS crash in transposed conv quantization | tensorflow | 7.5 |
| HIGH | CVE-2022-41883 | TensorFlow: executor crash via malformed op inputs (DoS) | tensorflow | 7.5 |
| CRITICAL | CVE-2022-41880 | TensorFlow: heap OOB read in candidate sampler op | tensorflow | 9.1 |
| HIGH | CVE-2022-41884 | TensorFlow: DoS via malformed numpy array shape | tensorflow | 7.5 |
| HIGH | CVE-2022-41885 | TensorFlow: FusedResizeAndPadConv2D overflow causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41886 | TensorFlow: integer overflow in image op causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41887 | TensorFlow: int32 overflow crashes Poisson loss function | tensorflow | 7.5 |
| HIGH | CVE-2022-41888 | TensorFlow: GPU input validation DoS in bbox proposals | tensorflow | 7.5 |
| HIGH | CVE-2022-41889 | TensorFlow: NULL ptr deref DoS via quantized tensor input | tensorflow | 7.5 |
| HIGH | CVE-2022-41890 | TensorFlow: int32 overflow in BCast::ToShape causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41891 | TensorFlow: segfault DoS in TensorListConcat op | tensorflow | 7.5 |
| HIGH | CVE-2022-41893 | TensorFlow: DoS via TensorListResize malformed input | tensorflow | 7.5 |
| HIGH | CVE-2022-41894 | TensorFlow Lite: buffer overflow in CONV_3D_TRANSPOSE op | tensorflow | 8.1 |
| HIGH | CVE-2022-41895 | TensorFlow: heap OOB in MirrorPadGrad causes DoS | tensorflow | 7.5 |