AI Threat Alert
Craft Adversarial Data
Adversarial data are inputs to an AI model that have been modified such that they cause the adversary's desired effect in the target model. Effects can range from misclassification, to missed detections, to maximizing energy consumption. Typically, the modification is constrained in magnitude or location so that a human still perceives the data as if it were unmodified, but human perceptibility may not always be a concern depending on the adversary's intended effect. For example, an adversarial input for an image classification task is an image the AI model would misclassify, but a human would still recognize as containing the correct class. Depending on the adversary's knowledge of and access to the target model, the adversary may use different classes of algorithms to develop the adversarial example such as [White-Box Optimization](/techniques/AML.T0043.000), [Black-Box Optimization](/techniques/AML.T0043.001), [Black-Box Transfer](/techniques/AML.T0043.002), or [Manual Modification](/techniques/AML.T0043.003). The adversary may [Verify Attack](/techniques/AML.T0042) their approach works if they have white-box or inference API access to the model. This allows the adversary to gain confidence their attack is effective "live" environment where their attack may be noticed. They can then use the attack at a later time to accomplish their goals. An adversary may optimize adversarial examples for [Evade AI Model](/techniques/AML.T0015), or to [Erode AI Model Integrity](/techniques/AML.T0031).
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2019-16778 | TensorFlow: heap overflow in UnsortedSegmentSum op | tensorflow | 9.8 |
| CRITICAL | CVE-2022-23587 | TensorFlow: integer overflow in Grappler enables RCE | tensorflow | 9.8 |
| CRITICAL | CVE-2022-35939 | TensorFlow: ScatterNd OOB write enables RCE/crash | tensorflow | 9.8 |
| CRITICAL | CVE-2022-41910 | TensorFlow Grappler: OOB read crashes or leaks memory | tensorflow | 9.1 |
| CRITICAL | CVE-2022-35937 | TensorFlow: GatherNd OOB read crashes inference servers | tensorflow | 9.1 |
| CRITICAL | CVE-2022-41880 | TensorFlow: heap OOB read in candidate sampler op | tensorflow | 9.1 |
| CRITICAL | CVE-2020-15207 | TFLite: OOB write via unchecked negative axis index | tensorflow | 9.0 |
| HIGH | CVE-2025-62164 | vllm: Input Validation flaw enables exploitation | vllm | 8.8 |
| HIGH | GHSA-mcmc-2m55-j8jj | vllm: Input Validation flaw enables exploitation | vllm | 8.8 |
| HIGH | CVE-2022-21727 | TensorFlow: Dequantize integer overflow, RCE risk | tensorflow | 8.8 |
| HIGH | CVE-2022-23566 | TensorFlow: heap OOB write in Grappler, RCE risk | tensorflow | 8.8 |
| HIGH | CVE-2022-21740 | TensorFlow: heap overflow in sparse ops, RCE risk | tensorflow | 8.8 |
| HIGH | CVE-2021-29540 | TensorFlow: heap buffer overflow in Conv2D gradient op | tensorflow | 7.8 |
| HIGH | CVE-2021-41219 | TensorFlow: heap OOB in sparse matrix multiply | tensorflow | 7.8 |
| HIGH | CVE-2021-29609 | TensorFlow: SparseAdd heap OOB write and null deref | tensorflow | 7.8 |
| HIGH | CVE-2021-37667 | TensorFlow: UnicodeEncode null deref, local code exec | tensorflow | 7.8 |
| HIGH | CVE-2021-37662 | TensorFlow: null deref in BoostedTrees training ops | tensorflow | 7.8 |
| HIGH | CVE-2021-29513 | TensorFlow: type confusion → null ptr deref (CVSS 7.8) | tensorflow | 7.8 |
| HIGH | CVE-2022-36004 | TensorFlow: DoS via tf.random.gamma CHECK assertion | tensorflow | 7.5 |
| HIGH | CVE-2024-58340 | langchain: security flaw enables exploitation | langchain | 7.5 |
| HIGH | CVE-2026-22773 | vllm: Resource Exhaustion enables DoS | vllm | 7.5 |
| HIGH | CVE-2023-25669 | TensorFlow: DoS via AvgPoolGrad invalid stride params | tensorflow | 7.5 |
| HIGH | CVE-2023-25667 | TensorFlow: integer overflow DoS in video frame decoding | tensorflow | 7.5 |
| HIGH | CVE-2023-25658 | TensorFlow: OOB read in GRUBlockCellGrad causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41909 | TensorFlow: remote DoS via malformed tensor input | tensorflow | 7.5 |
| HIGH | CVE-2022-41898 | TensorFlow: DoS crash via empty SparseFillEmptyRowsGrad inputs | tensorflow | 7.5 |
| HIGH | CVE-2022-41889 | TensorFlow: NULL ptr deref DoS via quantized tensor input | tensorflow | 7.5 |
| HIGH | CVE-2022-36019 | TensorFlow: DoS via FakeQuant tensor rank mismatch | tensorflow | 7.5 |
| HIGH | CVE-2022-35967 | TensorFlow: DoS via QuantizedAdd tensor rank flaw | tensorflow | 7.5 |
| HIGH | CVE-2022-35964 | TensorFlow: remote DoS via BlockLSTMGradV2 validation | tensorflow | 7.5 |
| HIGH | CVE-2021-37635 | TensorFlow: heap OOB read in sparse reduction ops | tensorflow | 7.1 |
| HIGH | CVE-2021-37641 | TensorFlow: RaggedGather OOB read - heap leak + DoS | tensorflow | 7.1 |
| HIGH | CVE-2021-41224 | TensorFlow: heap OOB read in SparseFillEmptyRows op | tensorflow | 7.1 |
| HIGH | CVE-2021-29582 | TensorFlow: OOB heap read via Dequantize shape mismatch | tensorflow | 7.1 |
| HIGH | CVE-2021-29569 | TensorFlow: OOB heap read in MaxPoolGradWithArgmax op | tensorflow | 7.1 |
| HIGH | CVE-2021-37654 | TensorFlow: OOB read/crash via ResourceGather batch_dims | tensorflow | 7.1 |
| HIGH | CVE-2021-29613 | TensorFlow: CTCLoss heap OOB read, info leak + crash | tensorflow | 7.1 |
| MEDIUM | CVE-2022-23576 | TensorFlow: integer overflow in cost estimator causes DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23588 | TensorFlow: DoS via crafted SavedModel crashes Grappler | tensorflow | 6.5 |
| MEDIUM | CVE-2025-62372 | vllm: security flaw enables exploitation | vllm | 6.5 |
| MEDIUM | CVE-2020-15197 | TensorFlow: DoS via malformed sparse tensor input | tensorflow | 6.3 |
| MEDIUM | CVE-2026-34760 | vLLM: audio downmix mismatch enables adversarial input | 5.9 | |
| MEDIUM | CVE-2021-37675 | TensorFlow: DoS via division by zero in conv ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37686 | TFLite: infinite loop DoS via crafted strided slice model | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29611 | TensorFlow: DoS via SparseReshape invalid tensor input | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37668 | TensorFlow: DoS via div-by-zero in UnravelIndex op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37683 | TFLite: division by zero DoS in inference kernels | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29542 | TensorFlow: StringNGrams heap overflow crashes ML process | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41195 | TensorFlow: integer overflow in segment ops causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29201 | TensorFlow: QuantizedConv2D null deref crashes model server | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29567 | TensorFlow: DoS via SparseDenseCwiseMul OOB | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29203 | TensorFlow: DoS via SpaceToBatchND integer overflow | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29533 | TensorFlow: DoS via empty image in DrawBoundingBoxes | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29211 | TensorFlow: NaN input crashes histogram op (CPU DoS) | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29213 | TensorFlow: input validation DoS in FFT signal ops | tensorflow | 5.5 |
| MEDIUM | CVE-2020-15198 | TensorFlow: heap OOB in SparseCountSparseOutput ops | tensorflow | 5.4 |
| MEDIUM | CVE-2025-46152 | PyTorch: OOB write causes incorrect bitwise shift results | pytorch | 5.3 |
| MEDIUM | CVE-2020-15194 | TensorFlow: DoS via SparseFillEmptyRowsGrad assertion | tensorflow | 5.3 |
| LOW | CVE-2025-46570 | vLLM: timing side-channel leaks prompt cache data | vllm | 2.6 |
| UNKNOWN | CVE-2019-9635 | TensorFlow: NULL ptr deref DoS via malformed GIF input | tensorflow | — |