Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-45499 | Azure OpenAI: SSRF flaw enables privilege escalation | 8.8 | |
| HIGH | CVE-2026-56208 | libaom: heap overflow in AV1 encoder LAP mode | rhaiis/vllm-cpu-rhel9 | 7.6 |
| HIGH | CVE-2026-56210 | libaom: AV1 SVC bounds-check miss leaks heap, crashes | rhaiis/vllm-cpu-rhel9 | 7.1 |
| HIGH | CVE-2026-56211 | libaom: AV1 SVC OOB write enables RCE | rhaiis/vllm-cpu-rhel9 | 7.1 |
| HIGH | CVE-2026-56209 | libaom: arbitrary address write in AV1 SVC codec | rhaiis/vllm-cpu-rhel9 | 7.1 |
| HIGH | CVE-2025-71342 | picklescan: idlelib bypass hides pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71345 | picklescan: scanner blocklist bypass hides pickle RCE | picklescan | 8.1 |
| LOW | CVE-2026-14738 | exo: weak hash algorithm in vision feature cache key | 3.7 | |
| MEDIUM | CVE-2026-40257 | OP-TEE: off-by-one in SHA-3 CE overflows TEE kernel heap | 5.5 | |
| HIGH | CVE-2026-42010 | gnutls: NUL-byte username bypasses RSA-PSK auth | rhaiis/vllm-rocm-rhel9 | 7.1 |
| HIGH | CVE-2026-33846 | GnuTLS: DTLS fragment heap overflow, DoS on AI inference | rhaiis/vllm-rocm-rhel9 | 7.5 |
| HIGH | CVE-2026-42009 | gnutls: DTLS packet-reorder bug DoS hits AI inference servers | rhaiis/vllm-rocm-rhel9 | 7.5 |
| HIGH | CVE-2026-33845 | GnuTLS: DTLS integer underflow enables OOB read/DoS | rhaiis/vllm-rocm-rhel9 | 7.5 |
| HIGH | CVE-2026-54234 | vLLM: crafted spec-decoding request crashes GPU worker (DoS) | vllm | 7.5 |
| MEDIUM | CVE-2026-55514 | vLLM: malformed prompt embeds crash serving via M-RoPE | vllm | 6.5 |
| HIGH | CVE-2026-55574 | vLLM: unbounded regex compile hangs inference worker (ReDoS) | xgrammar | 7.5 |
| MEDIUM | CVE-2026-15044 | TrustyAI: missing auth exposes guardrails orchestrator | nemoguardrails | 6.3 |
| HIGH | CVE-2026-15035 | OpenLLM: command injection via model repo name | 7.8 | |
| MEDIUM | CVE-2026-59225 | Open WebUI: arena bypass reaches restricted models | open-webui | 5.4 |
| MEDIUM | CVE-2026-8595 | Grafana: stored XSS via malicious TableNG field name | 6.8 |
Page 35 of 35