Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2021-29594 | TFLite: divide-by-zero in conv allows code execution | tensorflow | 7.8 |
| HIGH | CVE-2021-29595 | TensorFlow TFLite: crash/RCE via malicious model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29596 | TensorFlow TFLite: div-by-zero in EmbeddingLookup op | tensorflow | 7.8 |
| HIGH | CVE-2021-29597 | TensorFlow TFLite: div-by-zero crash via crafted model | tensorflow | 7.8 |
| HIGH | CVE-2021-29598 | TensorFlow TFLite: SVDF div-by-zero enables RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-29599 | TFLite Split: malicious model triggers div-by-zero (DoS/RCE) | tensorflow | 7.8 |
| HIGH | CVE-2021-29600 | TensorFlow TFLite: div-by-zero via crafted OneHot model | tensorflow | 7.8 |
| HIGH | CVE-2021-29601 | TensorFlow Lite: integer overflow in model concatenation | tensorflow | 7.1 |
| MEDIUM | CVE-2021-29602 | TensorFlow TFLite: DepthwiseConv division-by-zero DoS | tensorflow | 5.5 |
| HIGH | CVE-2021-29603 | TensorFlow TFLite: heap OOB write via malformed model | tensorflow | 7.8 |
| MEDIUM | CVE-2021-29604 | TFLite: DoS via division by zero in hashtable lookup | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29605 | TFLite: integer overflow DoS via crafted model file | tensorflow | 5.5 |
| HIGH | CVE-2021-29606 | TensorFlow Lite: OOB read via crafted TFLite model | tensorflow | 7.8 |
| HIGH | CVE-2021-29607 | TensorFlow: heap OOB write in SparseAdd op | tensorflow | 7.8 |
| HIGH | CVE-2021-29609 | TensorFlow: SparseAdd heap OOB write and null deref | tensorflow | 7.8 |
| HIGH | CVE-2021-29610 | TensorFlow: heap R/W via quantization axis underflow | tensorflow | 7.8 |
| HIGH | CVE-2021-29612 | TensorFlow: heap overflow in linalg op, RCE risk | tensorflow | 7.8 |
| HIGH | CVE-2021-29613 | TensorFlow: CTCLoss heap OOB read, info leak + crash | tensorflow | 7.1 |
| MEDIUM | CVE-2021-29615 | TensorFlow: uncontrolled recursion DoS in ParseAttrValue | tensorflow | 5.5 |
| HIGH | CVE-2021-29616 | TensorFlow: null ptr deref in graph optimizer | tensorflow | 7.8 |