Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-46032 | Linux Kernel KVM: nSVM VMEXIT host state corruption | 5.5 | |
| MEDIUM | CVE-2026-46091 | Linux Kernel: DMA coherency flaw in igorplugusb driver | 5.5 | |
| MEDIUM | CVE-2026-45907 | Linux mlx5e: deadlock DoS in Mellanox NIC recovery paths | 5.5 | |
| MEDIUM | CVE-2026-45973 | Linux mlx5: RDMA hang DoS on AI training clusters | 5.5 | |
| MEDIUM | CVE-2026-46236 | Linux Kernel: DMA coherency bug in xbox_remote driver | 5.5 | |
| HIGH | CVE-2026-46176 | Linux mlx5 RDMA: use-after-free in SRQ init path | 7.8 | |
| HIGH | CVE-2026-46178 | Linux mlx4 RDMA: resource leak on SRQ creation error | 7.8 | |
| UNKNOWN | CVE-2026-4944 | vllm: trust_remote_code bypass enables RCE via HuggingFace | vllm | - |
| HIGH | CVE-2026-41236 | Froxlor: symlink-following grants customer root SSH access | froxlor/froxlor | 8.8 |
| HIGH | CVE-2026-41235 | Froxlor: shell whitelist bypass grants host shell access | froxlor/froxlor | - |
| MEDIUM | CVE-2026-47213 | BoxLite: sandbox timeout bypass enables DoS via SIGALRM | boxlite | 6.5 |
| CRITICAL | CVE-2026-9319 | IBM WebSphere: RCE via JAX-WS deserialization (CVSS 9.0) | 9.0 | |
| MEDIUM | CVE-2026-43625 | CodexBar: session cookie leak via HTTP redirect | 5.9 | |
| CRITICAL | CVE-2026-47117 | OpenMed: RCE via trust_remote_code model loading | openmed | 9.8 |
| HIGH | CVE-2026-4035 | MLflow: AI Gateway leaks cloud credentials via env injection | mlflow | 7.7 |
| CRITICAL | CVE-2026-44182 | Enterprise Gateway: YAML injection → K8s cluster takeover | jupyter_enterprise_gateway | - |
| CRITICAL | CVE-2026-44181 | Enterprise Gateway: SSTI allows full K8s cluster compromise | jupyter_enterprise_gateway | - |
| CRITICAL | CVE-2026-44180 | Jupyter Enterprise Gateway: root privilege bypass in Kubernetes | jupyter_enterprise_gateway | 9.8 |
| LOW | CVE-2026-10783 | Gradio: weak hash exposes audio cache to local users | gradio | 2.5 |
| MEDIUM | CVE-2026-10804 | Streamlit: weak hash enables cache integrity bypass | streamlit | 4.7 |