Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2022-35988 | TensorFlow: GPU DoS via empty input to matrix_rank op | tensorflow | 7.5 |
| HIGH | CVE-2022-35989 | TensorFlow: MaxPool GPU kernel DoS via oversized ksize | tensorflow | 7.5 |
| HIGH | CVE-2022-35990 | TensorFlow: DoS via quantization gradient rank check | tensorflow | 7.5 |
| HIGH | CVE-2022-36018 | TensorFlow: RaggedTensor CHECK fail remote DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-36019 | TensorFlow: DoS via FakeQuant tensor rank mismatch | tensorflow | 7.5 |
| HIGH | CVE-2022-36026 | TensorFlow: DoS via QuantizeAndDequantizeV3 CHECK fail | tensorflow | 7.5 |
| HIGH | CVE-2022-35991 | TensorFlow: DoS via TensorListScatter CHECK fail | tensorflow | 7.5 |
| HIGH | CVE-2022-35992 | TensorFlow: DoS via malformed TensorList element shape | tensorflow | 7.5 |
| HIGH | CVE-2022-35993 | TensorFlow: DoS via malformed SetSize tensor shape | tensorflow | 7.5 |
| HIGH | CVE-2022-35994 | TensorFlow: CollectiveGather assertion DoS via scalar | tensorflow | 7.5 |
| HIGH | CVE-2022-35995 | TensorFlow: DoS via AudioSummaryV2 CHECK failure | tensorflow | 7.5 |
| HIGH | CVE-2022-35996 | TensorFlow: Conv2D DoS via empty input tensor | tensorflow | 7.5 |
| HIGH | CVE-2022-35997 | TensorFlow: CHECK-fail DoS in tf.sparse.cross op | tensorflow | 7.5 |
| HIGH | CVE-2022-35998 | TensorFlow: DoS via EmptyTensorList CHECK fail | tensorflow | 7.5 |
| HIGH | CVE-2022-35999 | TensorFlow: DoS via empty Conv2DBackpropInput tensors | tensorflow | 7.5 |
| HIGH | CVE-2022-36000 | TensorFlow: null deref crashes MLIR graph conversion | tensorflow | 7.5 |
| HIGH | CVE-2022-36001 | TensorFlow: DoS via type confusion in DrawBoundingBoxes | tensorflow | 7.5 |
| HIGH | CVE-2022-36002 | TensorFlow: DoS via Unbatch assertion failure | tensorflow | 7.5 |
| HIGH | CVE-2022-36003 | TensorFlow: DoS via RandomPoissonV2 large input | tensorflow | 7.5 |
| HIGH | CVE-2022-36004 | TensorFlow: DoS via tf.random.gamma CHECK assertion | tensorflow | 7.5 |