Quantamination: Dynamic Quantization Can Leak Your Data Across the Batch

Hanna Foerster; Ilia Shumailov; Cheng Zhang; Yiren Zhao; Jamie Hayes; Robert D. Mullins

Quantamination: Dynamic Quantization Can Leak Your Data Across the Batch

Hanna Foerster, Ilia Shumailov, Cheng Zhang, Yiren Zhao, Jamie Hayes, Robert D. Mullins

Published: 03 Jun 2026, Last Modified: 03 Jun 2026AI4GOOD Workshop 2026 RegularEveryoneRevisionsBibTeXCC BY 4.0

Keywords: dynamic quantization, side-channel attack, privacy leakage, AI deployment security

TL;DR: Per-tensor dynamic activation quantization, a default in several widely deployed inference frameworks, creates a cross-batch side channel that lets a co-located adversary recover other users' inputs at near-perfect accuracy.

Abstract: Dynamic quantization emerged as a practical approach to increase the utilization and efficiency of the machine learning serving flow. Unlike static quantization, which applies quantization offline, dynamic quantization operates on tensors at run-time, adapting its parameters to the actual input data. Today’s mainstream machine learning frameworks -- including ML compilers and inference engines -- frequently recommend dynamic quantization as an initial step for optimizing model serving. This is because dynamic quantization can significantly reduce memory usage and computational load, leading to faster token generation and improved model serving efficiency without substantial loss in model accuracy. In this paper, we reveal a critical vulnerability in dynamic quantization: an adversary can exploit such quantization strategy to steal sensitive user data placed in the same batch as the adversary’s input. Our analysis demonstrates that dynamic quantization, when improperly implemented or configured, can create side channels that expose information about other inputs within the same batch. We call this phenomenon Quantamination, describing contamination from quantization. Specifically, we show that at least $4$ of the most popular ML frameworks in use today either default to or can use configurations that leak data across the batch boundary. This data leakage, in theory, allows attackers to partially or even fully recover other users’ batched input data, representing a serious privacy risk for existing ML serving frameworks.

Email Sharing: We authorize the sharing of all author emails with Program Chairs.

Data Release: We authorize the release of our submission and author names to the public in the event of acceptance.

Submission Number: 40

Loading