AI Threat Alert

CVE-2022-21729: TensorFlow: UnravelIndex integer overflow → DoS

MEDIUM PoC AVAILABLE CISA: TRACK*
Published February 3, 2022
CISO Take

A remotely triggerable integer overflow in TensorFlow's UnravelIndex op allows any authenticated user to crash TF serving workers via crafted tensor inputs, resulting in full availability loss. No data exfiltration risk, but production model serving endpoints are vulnerable if running unpatched TF 2.5–2.7. Patch immediately to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 — all available as of early 2022.

What is the risk?

Medium risk overall, but elevated for organizations exposing TensorFlow Serving APIs to external or semi-trusted clients. CVSS 6.5 reflects low-complexity, network-accessible DoS with no privilege escalation. The absence of a confidentiality or integrity impact limits blast radius to availability. Not in CISA KEV, no known active exploitation in the wild. Risk increases in multi-tenant ML platforms where tenants can supply arbitrary model inputs.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 51% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.8.0 (or cherry-picked fixes in 2.7.1, 2.6.3, 2.5.3). Commit 58b34c6 contains the fix.

  2. WORKAROUND

    Add input validation middleware to TF Serving that rejects tensors with out-of-range index values before they reach the op layer.

  3. ISOLATION

    Run TF Serving workers in containers/pods with automatic restart policies (k8s restartPolicy: Always) to minimize downtime from crashes.

  4. DETECTION

    Monitor for sudden TF worker process crashes or serving pod restarts correlated with specific client IPs or request patterns — repeated crashes from same source indicate active probing.

  5. NETWORK

    Restrict UnravelIndex-using endpoints to trusted networks if business logic permits.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.9.3 - AI system operation and monitoring
NIST AI RMF
MANAGE-2.2 - Mechanisms for AI system resilience and continuity
OWASP LLM Top 10
LLM09:2025 - Misinformation and Overreliance

Frequently Asked Questions

What is CVE-2022-21729?

A remotely triggerable integer overflow in TensorFlow's UnravelIndex op allows any authenticated user to crash TF serving workers via crafted tensor inputs, resulting in full availability loss. No data exfiltration risk, but production model serving endpoints are vulnerable if running unpatched TF 2.5–2.7. Patch immediately to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 — all available as of early 2022.

Is CVE-2022-21729 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-21729, increasing the risk of exploitation.

How to fix CVE-2022-21729?

1. PATCH: Upgrade to TensorFlow 2.8.0 (or cherry-picked fixes in 2.7.1, 2.6.3, 2.5.3). Commit 58b34c6 contains the fix. 2. WORKAROUND: Add input validation middleware to TF Serving that rejects tensors with out-of-range index values before they reach the op layer. 3. ISOLATION: Run TF Serving workers in containers/pods with automatic restart policies (k8s restartPolicy: Always) to minimize downtime from crashes. 4. DETECTION: Monitor for sudden TF worker process crashes or serving pod restarts correlated with specific client IPs or request patterns — repeated crashes from same source indicate active probing. 5. NETWORK: Restrict UnravelIndex-using endpoints to trusted networks if business logic permits.

What systems are affected by CVE-2022-21729?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, shared ML notebook environments.

What is the CVSS score for CVE-2022-21729?

CVE-2022-21729 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.77%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference APIsshared ML notebook environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.9.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM09:2025

What are the technical details?

Original Advisory

Tensorflow is an Open Source Machine Learning Framework. The implementation of `UnravelIndex` is vulnerable to a division by zero caused by an integer overflow bug. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with a valid API key (low privilege) to a production TF Serving endpoint discovers that the served model uses the UnravelIndex operation (visible via model metadata or reverse engineering). They craft inference requests containing tensors with extremely large integer values designed to trigger the overflow in the divisor computation — no AI/ML expertise required, only knowledge of the op's input shape. Each malicious request crashes the TF worker process. Automated retries from legitimate clients keep the endpoint flapping. In a Kubernetes deployment without proper PodDisruptionBudgets, this achieves sustained denial of service against the ML inference layer.

Weaknesses (CWE)

CWE-190 Integer Overflow or Wraparound Primary CWE-190 Integer Overflow or Wraparound

CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

  • [Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
February 3, 2022
Last Modified
May 5, 2025
First Seen
February 3, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed