CVE-2022-21739 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

A null pointer dereference in TensorFlow's QuantizedMaxPool op allows any authenticated network user to crash the inference service with a crafted input. Impact is pure availability—no data exposure or code execution. Patch immediately to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3; any externally-accessible TF serving endpoint is at risk.

Risk Assessment

Medium risk. CVSS 6.5 with network attack vector, low complexity, and low privileges makes this trivially exploitable against exposed endpoints. Pure availability impact limits blast radius, but repeated exploitation constitutes sustained denial-of-service against production inference infrastructure. Not in CISA KEV and no evidence of active exploitation in the wild.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 44% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Upgrade to TensorFlow 2.8.0 (backport commits to 2.7.1, 2.6.3, or 2.5.3 if version pinning is required).
Audit all inference endpoints that expose quantized model operations to untrusted inputs.
Implement input validation and tensor shape/type checking before passing to quantized ops.
Monitor inference service crash rates and automatic restarts as DoS indicators.
Apply network segmentation to restrict access to TF serving endpoints to authorized clients only.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.9.3 - AI System Operation and Monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to address identified vulnerabilities

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2022-21739?

A null pointer dereference in TensorFlow's QuantizedMaxPool op allows any authenticated network user to crash the inference service with a crafted input. Impact is pure availability—no data exposure or code execution. Patch immediately to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3; any externally-accessible TF serving endpoint is at risk.

Is CVE-2022-21739 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-21739, increasing the risk of exploitation.

How to fix CVE-2022-21739?

1. Upgrade to TensorFlow 2.8.0 (backport commits to 2.7.1, 2.6.3, or 2.5.3 if version pinning is required). 2. Audit all inference endpoints that expose quantized model operations to untrusted inputs. 3. Implement input validation and tensor shape/type checking before passing to quantized ops. 4. Monitor inference service crash rates and automatic restarts as DoS indicators. 5. Apply network segmentation to restrict access to TF serving endpoints to authorized clients only.

What systems are affected by CVE-2022-21739?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, edge deployment, training pipelines.

What is the CVSS score for CVE-2022-21739?

CVE-2022-21739 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.22%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. The implementation of `QuantizedMaxPool` has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege API access to a TensorFlow serving endpoint submits a crafted inference request designed to trigger QuantizedMaxPool with a null reference binding. The process crashes immediately, causing service downtime. In automated pipelines—real-time fraud detection, computer vision inference, recommendation systems—repeated exploitation produces sustained outage with minimal attacker effort and no special tooling required.