Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2022-29198 | TensorFlow: DoS via sparse tensor input validation failure | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29200 | TensorFlow: LSTMBlockCell DoS via invalid tensor rank | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29207 | TensorFlow: null-ptr deref in eager mode causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29201 | TensorFlow: QuantizedConv2D null deref crashes model server | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29203 | TensorFlow: DoS via SpaceToBatchND integer overflow | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29206 | TensorFlow: SparseTensorDenseAdd null ptr deref DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29209 | TensorFlow: CHECK macro type confusion causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29210 | TensorFlow: heap OOB in TensorKey causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29212 | TensorFlow Lite: quantization assert crash (DoS) | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29213 | TensorFlow: input validation DoS in FFT signal ops | tensorflow | 5.5 |
| HIGH | CVE-2022-29216 | TensorFlow CLI: eval() injection enables reverse shell | tensorflow | 7.8 |
| HIGH | CVE-2022-35934 | TensorFlow: tf.reshape DoS via integer overflow | tensorflow | 7.5 |
| HIGH | CVE-2022-35935 | TensorFlow: DoS via SobolSample CHECK-failure | tensorflow | 7.5 |
| CRITICAL | CVE-2022-35937 | TensorFlow: GatherNd OOB read crashes inference servers | tensorflow | 9.1 |
| CRITICAL | CVE-2022-35938 | TensorFlow: OOB read in GatherNd causes crash/data leak | tensorflow | 9.1 |
| CRITICAL | CVE-2022-35939 | TensorFlow: ScatterNd OOB write enables RCE/crash | tensorflow | 9.8 |
| HIGH | CVE-2022-35940 | TensorFlow: integer overflow in RaggedRangeOp crashes service | tensorflow | 7.5 |
| HIGH | CVE-2022-35941 | TensorFlow: DoS via negative ksize in AvgPoolOp | tensorflow | 7.5 |
| HIGH | CVE-2022-35952 | TensorFlow: DoS via UnbatchGradOp assertion crash | tensorflow | 7.5 |
| HIGH | CVE-2022-35959 | TensorFlow: DoS via AvgPool3DGradOp input overflow | tensorflow | 7.5 |