CVE-2022-21733 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment exposing the StringNGrams operation via an inference API is vulnerable to remote DoS by any authenticated user — the exploitation bar is low. Patch immediately to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3. If patching is delayed, add strict server-side input validation on pad_width parameters and enforce memory limits on inference containers.

Risk Assessment

Medium severity (CVSS 6.5) but operationally significant for NLP inference services. AV:N/AC:L/PR:L means any authenticated API consumer can crash the server with a single crafted request. No code execution or data exposure, but uncontrolled OOM can cascade to container or node failures in shared infrastructure. Not in CISA KEV and no observed in-the-wild exploitation, but the vulnerability is trivially reproducible from the public patch diff.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 46% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 — commit f68fdab93fb7f4ddb4eb438c8fe052753c9413e8 contains the fix.
Workaround: validate and bound pad_width inputs at the API gateway layer before invoking StringNGrams operations.
Defense-in-depth: enforce memory limits on TF inference containers (e.g., Kubernetes resource limits) to contain blast radius of OOM events.
Detection: alert on sudden memory spikes followed by OOM kills in TF serving processes; monitor for abnormal request patterns targeting string processing endpoints.
API hardening: restrict inference API access to the minimum required set of authenticated callers.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system operational and monitoring controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI system operation in adverse conditions

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-21733?

Any TensorFlow deployment exposing the StringNGrams operation via an inference API is vulnerable to remote DoS by any authenticated user — the exploitation bar is low. Patch immediately to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3. If patching is delayed, add strict server-side input validation on pad_width parameters and enforce memory limits on inference containers.

Is CVE-2022-21733 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-21733, increasing the risk of exploitation.

How to fix CVE-2022-21733?

1. Patch: upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 — commit f68fdab93fb7f4ddb4eb438c8fe052753c9413e8 contains the fix. 2. Workaround: validate and bound pad_width inputs at the API gateway layer before invoking StringNGrams operations. 3. Defense-in-depth: enforce memory limits on TF inference containers (e.g., Kubernetes resource limits) to contain blast radius of OOM events. 4. Detection: alert on sudden memory spikes followed by OOM kills in TF serving processes; monitor for abnormal request patterns targeting string processing endpoints. 5. API hardening: restrict inference API access to the minimum required set of authenticated callers.

What systems are affected by CVE-2022-21733?

This vulnerability affects the following AI/ML architecture patterns: model serving, NLP preprocessing pipelines, training pipelines.

What is the CVSS score for CVE-2022-21733?

CVE-2022-21733 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.23%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. The implementation of `StringNGrams` can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. We are missing a validation on `pad_witdh` and that result in computing a negative value for `ngram_width` which is later used to allocate parts of the output. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with a valid API account — a trial user, compromised credential, or malicious insider — submits a text inference request to a TensorFlow Serving endpoint that processes n-gram features. The request includes a crafted pad_width value designed to trigger integer overflow in the StringNGrams kernel. TF computes a negative ngram_width and attempts to allocate an impossibly large output buffer, exhausting server memory and crashing the inference process. In Kubernetes environments, this triggers pod restart loops, producing a sustained service outage for all users sharing that endpoint with no forensic indicators beyond OOM logs.