AI Threat Alert
Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2020-15200 | TensorFlow: heap overflow in RaggedCountSparseOutput DoS | tensorflow | 5.9 |
| MEDIUM | CVE-2020-15201 | TensorFlow: heap overflow in ragged tensor ops | tensorflow | 4.8 |
| CRITICAL | CVE-2020-15202 | TensorFlow: Shard API int truncation enables memory corruption | tensorflow | 9.0 |
| HIGH | CVE-2020-15203 | TensorFlow: format string DoS in strings.as_string | tensorflow | 7.5 |
| MEDIUM | CVE-2020-15204 | TensorFlow: null ptr deref DoS in eager mode ops | tensorflow | 5.3 |
| CRITICAL | CVE-2020-15205 | TensorFlow: heap overflow in StringNGrams, ASLR bypass | tensorflow | 9.8 |
| HIGH | CVE-2020-15206 | TensorFlow: SavedModel protobuf DoS in inference serving | tensorflow | 7.5 |
| CRITICAL | CVE-2020-15207 | TFLite: OOB write via unchecked negative axis index | tensorflow | 9.0 |
| CRITICAL | CVE-2020-15208 | TFLite: OOB read/write via tensor dimension mismatch | tensorflow | 9.8 |
| MEDIUM | CVE-2020-15209 | TensorFlow Lite: null ptr deref crashes model inference | tensorflow | 5.9 |
| MEDIUM | CVE-2020-15210 | TensorFlow Lite: memory corruption via aliased tensors | tensorflow | 6.5 |
| MEDIUM | CVE-2020-15211 | TensorFlow Lite: heap OOB RW via flatbuffer tensor index | tensorflow | 4.8 |
| HIGH | CVE-2020-15212 | TensorFlow Lite: heap OOB write via segment sum op | tensorflow | 8.6 |
| MEDIUM | CVE-2020-15213 | TensorFlow Lite: OOM DoS via crafted segment sum model | tensorflow | 4.0 |
| HIGH | CVE-2020-15214 | TensorFlow Lite: OOB write in segment sum, memory corruption risk | tensorflow | 8.1 |
| HIGH | CVE-2020-15265 | TensorFlow: OOB read DoS via invalid quantize axis | tensorflow | 7.5 |
| HIGH | CVE-2020-15266 | TensorFlow: NaN-triggered DoS in crop_and_resize op | tensorflow | 7.5 |
| MEDIUM | CVE-2020-26266 | TensorFlow: uninitialized memory read via crafted SavedModel | tensorflow | 5.3 |
| HIGH | CVE-2020-26267 | TensorFlow: OOB read in DataFormatVecPermute op | tensorflow | 7.8 |
| LOW | CVE-2020-26270 | TensorFlow: DoS via zero-length input to LSTM/GRU on CUDA | tensorflow | 3.3 |