AI Threat Alert
Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2021-29544 | TensorFlow: DoS via missing tensor rank validation | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29545 | TensorFlow: heap OOB write in sparse tensor DoS | tensorflow | 5.5 |
| HIGH | CVE-2021-29546 | TensorFlow: div-by-zero in QuantizedBiasAdd, C/I/A high | tensorflow | 7.8 |
| MEDIUM | CVE-2021-29547 | TensorFlow: OOB read DoS via empty tensor in QuantizedBatchNorm | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29548 | TensorFlow: DoS via division by zero in QuantizedBatchNorm | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29549 | TensorFlow: divide-by-zero DoS in quantized batch norm op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29550 | TensorFlow: FractionalAvgPool DoS via divide-by-zero | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29551 | TensorFlow: OOB read DoS in MatrixTriangularSolve kernel | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29552 | TensorFlow: DoS via empty num_segments tensor assertion | tensorflow | 5.5 |
| HIGH | CVE-2021-29553 | TensorFlow: heap OOB read via malicious axis in quant op | tensorflow | 7.1 |
| MEDIUM | CVE-2021-29555 | TensorFlow: FusedBatchNorm divide-by-zero crashes ML jobs | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29556 | TensorFlow: DoS via divide-by-zero in Reverse op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29557 | TensorFlow: FPE in SparseMatMul causes process DoS | tensorflow | 5.5 |
| HIGH | CVE-2021-29558 | TensorFlow: heap buffer overflow in SparseSplit op | tensorflow | 7.8 |
| HIGH | CVE-2021-29560 | TensorFlow: heap OOB in RaggedTensorToTensor op | tensorflow | 7.1 |
| MEDIUM | CVE-2021-29561 | TensorFlow: DoS via malformed LoadAndRemapMatrix input | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29563 | TensorFlow: DoS via RFFT empty matrix assertion crash | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29565 | TensorFlow: null ptr dereference crashes sparse ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29567 | TensorFlow: DoS via SparseDenseCwiseMul OOB | tensorflow | 5.5 |
| HIGH | CVE-2021-29568 | TensorFlow: null deref in ParameterizedTruncatedNormal op | tensorflow | 7.8 |