Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2021-41205 | TensorFlow: heap OOB read in quantize ops, DoS+leak | tensorflow | 7.1 |
| HIGH | CVE-2021-41211 | TensorFlow: heap OOB read in QuantizeV2 shape inference | tensorflow | 7.1 |
| HIGH | CVE-2021-41212 | TensorFlow: heap OOB read in ragged.cross shape inference | tensorflow | 7.1 |
| MEDIUM | CVE-2021-41215 | TensorFlow: DeserializeSparse null deref causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41217 | TensorFlow: null pointer crash in control flow graph | tensorflow | 5.5 |
| HIGH | CVE-2021-41226 | TensorFlow: heap OOB in SparseBinCount, crash/disclosure | tensorflow | 7.1 |
| MEDIUM | CVE-2021-41209 | TensorFlow: DoS via division-by-zero in conv ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41222 | TensorFlow: SplitV negative arg segfault crashes process | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41227 | TensorFlow: OOB read in ImmutableConst leaks memory | tensorflow | 5.5 |
| HIGH | CVE-2022-21726 | TensorFlow: heap OOB read in Dequantize op allows RCE | tensorflow | 8.8 |
| HIGH | CVE-2022-21727 | TensorFlow: Dequantize integer overflow, RCE risk | tensorflow | 8.8 |
| HIGH | CVE-2022-21728 | TensorFlow: heap OOB read in ReverseSequence op | tensorflow | 8.1 |
| HIGH | CVE-2022-21730 | TensorFlow: OOB read leaks heap memory, enables DoS | tensorflow | 8.1 |
| MEDIUM | CVE-2022-21731 | TensorFlow: ConcatV2 type confusion enables remote DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2022-21732 | TensorFlow: ThreadPoolHandle DoS via memory exhaustion | tensorflow | 6.5 |
| MEDIUM | CVE-2022-21733 | TensorFlow: StringNGrams integer overflow enables OOM DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2022-21736 | TensorFlow: NULL deref DoS via SparseTensorSliceDataset | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23567 | TensorFlow: integer overflow DoS in sparse tensor ops | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23568 | TensorFlow: integer overflow DoS in sparse tensor ops | tensorflow | 6.5 |
| MEDIUM | CVE-2022-21725 | TensorFlow: DoS via div-by-zero in conv cost estimator | tensorflow | 6.5 |