CVE-2022-21739: TensorFlow QuantizedMaxPool null

CISO Take

A null pointer dereference in TensorFlow's QuantizedMaxPool op allows any authenticated network user to crash the inference service with a crafted input. Impact is pure availability—no data exposure or code execution. Patch immediately to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3; any externally-accessible TF serving endpoint is at risk.

What is the risk?

Medium risk. CVSS 6.5 with network attack vector, low complexity, and low privileges makes this trivially exploitable against exposed endpoints. Pure availability impact limits blast radius, but repeated exploitation constitutes sustained denial-of-service against production inference infrastructure. Not in CISA KEV and no evidence of active exploitation in the wild.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.8%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Upgrade to TensorFlow 2.8.0 (backport commits to 2.7.1, 2.6.3, or 2.5.3 if version pinning is required).
Audit all inference endpoints that expose quantized model operations to untrusted inputs.
Implement input validation and tensor shape/type checking before passing to quantized ops.
Monitor inference service crash rates and automatic restarts as DoS indicators.
Apply network segmentation to restrict access to TF serving endpoints to authorized clients only.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.9.3 - AI System Operation and Monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to address identified vulnerabilities

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2022-21739?

A null pointer dereference in TensorFlow's QuantizedMaxPool op allows any authenticated network user to crash the inference service with a crafted input. Impact is pure availability—no data exposure or code execution. Patch immediately to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3; any externally-accessible TF serving endpoint is at risk.

Is CVE-2022-21739 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-21739, increasing the risk of exploitation.

How to fix CVE-2022-21739?

1. Upgrade to TensorFlow 2.8.0 (backport commits to 2.7.1, 2.6.3, or 2.5.3 if version pinning is required). 2. Audit all inference endpoints that expose quantized model operations to untrusted inputs. 3. Implement input validation and tensor shape/type checking before passing to quantized ops. 4. Monitor inference service crash rates and automatic restarts as DoS indicators. 5. Apply network segmentation to restrict access to TF serving endpoints to authorized clients only.

What systems are affected by CVE-2022-21739?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, edge deployment, training pipelines.

What is the CVSS score for CVE-2022-21739?

CVE-2022-21739 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.77%.

What is the AI security impact?

Affected AI Architectures

model servinginference pipelinesedge deploymenttraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.3

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Tensorflow is an Open Source Machine Learning Framework. The implementation of `QuantizedMaxPool` has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege API access to a TensorFlow serving endpoint submits a crafted inference request designed to trigger QuantizedMaxPool with a null reference binding. The process crashes immediately, causing service downtime. In automated pipelines—real-time fraud detection, computer vision inference, recommendation systems—repeated exploitation produces sustained outage with minimal attacker effort and no special tooling required.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference Primary CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

[Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
[Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.