AI Threat Alert
Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2020-15214 | TensorFlow Lite: OOB write in segment sum, memory corruption risk | tensorflow | 8.1 |
| LOW | CVE-2020-26271 | TensorFlow: OOB read on saved model load leaks heap addresses | tensorflow | 3.3 |
| MEDIUM | CVE-2020-26266 | TensorFlow: uninitialized memory read via crafted SavedModel | tensorflow | 5.3 |
| HIGH | CVE-2021-29514 | TensorFlow: heap buffer overflow in RaggedBincount op | tensorflow | 7.8 |
| HIGH | CVE-2021-29515 | TensorFlow: NULL ptr deref in MatrixDiag ops (crash/RCE) | tensorflow | 7.8 |
| HIGH | CVE-2021-29520 | TensorFlow: heap buffer overflow in Conv3DBackprop ops | tensorflow | 7.8 |
| HIGH | CVE-2021-29529 | TensorFlow: heap buffer overflow in quantized image resize | tensorflow | 7.8 |
| HIGH | CVE-2021-29535 | TensorFlow: heap overflow in QuantizedMul op | tensorflow | 7.8 |
| HIGH | CVE-2021-29536 | TensorFlow: heap overflow in QuantizedReshape op | tensorflow | 7.8 |
| HIGH | CVE-2021-29537 | TensorFlow: heap overflow in QuantizedResizeBilinear op | tensorflow | 7.8 |
| HIGH | CVE-2021-29540 | TensorFlow: heap buffer overflow in Conv2D gradient op | tensorflow | 7.8 |
| HIGH | CVE-2021-29546 | TensorFlow: div-by-zero in QuantizedBiasAdd, C/I/A high | tensorflow | 7.8 |
| HIGH | CVE-2021-29558 | TensorFlow: heap buffer overflow in SparseSplit op | tensorflow | 7.8 |
| HIGH | CVE-2021-29566 | TensorFlow: heap OOB write in Dilation2D training op | tensorflow | 7.8 |
| HIGH | CVE-2021-29571 | TensorFlow: heap OOB write via crafted bounding box op | tensorflow | 7.8 |
| HIGH | CVE-2021-29585 | TensorFlow TFLite: divide-by-zero crashes ML inference | tensorflow | 7.8 |
| HIGH | CVE-2021-29587 | TensorFlow TFLite: divide-by-zero via crafted model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29588 | TensorFlow Lite: DoS/RCE via crafted model stride=0 | tensorflow | 7.8 |
| HIGH | CVE-2021-29589 | TFLite GatherNd: divide-by-zero crashes inference runtime | tensorflow | 7.8 |
| HIGH | CVE-2021-29590 | TensorFlow TFLite: OOB read via empty tensor in Min/Max ops | tensorflow | 7.1 |