Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2021-29570 | TensorFlow: OOB read in MaxPoolGradWithArgmax op | tensorflow | 7.1 |
| HIGH | CVE-2021-29571 | TensorFlow: heap OOB write via crafted bounding box op | tensorflow | 7.8 |
| HIGH | CVE-2021-29574 | TensorFlow: null ptr deref in MaxPool3DGradGrad ops | tensorflow | 7.8 |
| MEDIUM | CVE-2021-29575 | TensorFlow: stack overflow DoS in ReverseSequence op | tensorflow | 5.5 |
| HIGH | CVE-2021-29577 | TensorFlow: heap overflow in AvgPool3DGrad op | tensorflow | 7.8 |
| HIGH | CVE-2021-29579 | TensorFlow: heap buffer overflow in MaxPoolGrad kernel | tensorflow | 7.8 |
| MEDIUM | CVE-2021-29580 | TensorFlow: DoS via empty tensor in FractionalMaxPoolGrad | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29581 | TensorFlow: DoS via null buffer in CTCBeamSearchDecoder | tensorflow | 5.5 |
| HIGH | CVE-2021-29582 | TensorFlow: OOB heap read via Dequantize shape mismatch | tensorflow | 7.1 |
| HIGH | CVE-2021-29583 | TensorFlow: heap overflow in FusedBatchNorm risks RCE | tensorflow | 7.8 |
| MEDIUM | CVE-2021-29584 | TensorFlow: integer overflow DoS in SparseSplit op | tensorflow | 5.5 |
| HIGH | CVE-2021-29585 | TensorFlow TFLite: divide-by-zero crashes ML inference | tensorflow | 7.8 |
| HIGH | CVE-2021-29586 | TFLite: div-by-zero in pooling crashes inference engine | tensorflow | 7.8 |
| HIGH | CVE-2021-29587 | TensorFlow TFLite: divide-by-zero via crafted model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29588 | TensorFlow Lite: DoS/RCE via crafted model stride=0 | tensorflow | 7.8 |
| HIGH | CVE-2021-29589 | TFLite GatherNd: divide-by-zero crashes inference runtime | tensorflow | 7.8 |
| HIGH | CVE-2021-29590 | TensorFlow TFLite: OOB read via empty tensor in Min/Max ops | tensorflow | 7.1 |
| HIGH | CVE-2021-29591 | TFLite: crafted model causes infinite loop / stack overflow | tensorflow | 7.8 |
| HIGH | CVE-2021-29592 | TensorFlow Lite: null-ptr deref in Reshape via 1D tensor | tensorflow | 7.8 |
| HIGH | CVE-2021-29593 | TensorFlow TFLite: div-by-zero via crafted model file | tensorflow | 7.8 |