AI Threat Alert
CVE-2022-21740: TensorFlow: heap overflow in sparse ops, RCE risk
HIGH PoC AVAILABLECVE-2022-21740 is a heap overflow (CVSS 8.8) in TensorFlow's SparseCountSparseOutput kernel, exploitable by any low-privileged user over the network with no user interaction required — meaning any authenticated API caller against a TF Serving endpoint can trigger it. Patch to TF 2.8.0 / 2.7.1 / 2.6.3 / 2.5.3 immediately and audit network exposure of all TensorFlow Serving instances. If patching is not immediately possible, restrict inference API access to trusted internal networks and enforce strict input validation on sparse tensor payloads.
What is the risk?
HIGH. The combination of network-reachable attack vector, low complexity, and low privilege requirement makes this trivially exploitable by any authenticated API user — no AI/ML expertise needed. Full CIA impact (C:H/I:H/A:H) means a successful exploit on a TF Serving node could yield remote code execution, full model exfiltration, or complete service disruption. Exposure is broad: TensorFlow is the most widely deployed ML framework; any organization running TF Serving or processing untrusted sparse tensor inputs is at risk. Not in CISA KEV at time of analysis, but the exploit path is well-documented in the public advisory.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH
Upgrade TensorFlow to 2.8.0, or apply cherrypick patches to 2.7.1, 2.6.3, or 2.5.3. Commits 2b7100d and adbbaba are the authoritative fixes.
-
NETWORK SEGMENTATION
Restrict TensorFlow Serving gRPC/REST endpoints to internal networks; block public exposure immediately if not patched.
-
INPUT VALIDATION
Reject or sanitize sparse tensor inputs at the API gateway layer before they reach the TF runtime — validate tensor dimensions and value ranges.
-
DETECTION
Alert on abnormal TF Serving process crashes or restarts; monitor for heap corruption signals (SIGABRT, SIGSEGV) in TF process logs.
-
INVENTORY
Run
pip show tensorflowacross all ML infrastructure nodes; include TF version in your software asset inventory and patch management process. -
LEAST PRIVILEGE
Ensure TF Serving processes run as non-root with minimal filesystem permissions to limit blast radius of a successful exploit.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2022-21740?
CVE-2022-21740 is a heap overflow (CVSS 8.8) in TensorFlow's SparseCountSparseOutput kernel, exploitable by any low-privileged user over the network with no user interaction required — meaning any authenticated API caller against a TF Serving endpoint can trigger it. Patch to TF 2.8.0 / 2.7.1 / 2.6.3 / 2.5.3 immediately and audit network exposure of all TensorFlow Serving instances. If patching is not immediately possible, restrict inference API access to trusted internal networks and enforce strict input validation on sparse tensor payloads.
Is CVE-2022-21740 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2022-21740, increasing the risk of exploitation.
How to fix CVE-2022-21740?
1. PATCH: Upgrade TensorFlow to 2.8.0, or apply cherrypick patches to 2.7.1, 2.6.3, or 2.5.3. Commits 2b7100d and adbbaba are the authoritative fixes. 2. NETWORK SEGMENTATION: Restrict TensorFlow Serving gRPC/REST endpoints to internal networks; block public exposure immediately if not patched. 3. INPUT VALIDATION: Reject or sanitize sparse tensor inputs at the API gateway layer before they reach the TF runtime — validate tensor dimensions and value ranges. 4. DETECTION: Alert on abnormal TF Serving process crashes or restarts; monitor for heap corruption signals (SIGABRT, SIGSEGV) in TF process logs. 5. INVENTORY: Run `pip show tensorflow` across all ML infrastructure nodes; include TF version in your software asset inventory and patch management process. 6. LEAST PRIVILEGE: Ensure TF Serving processes run as non-root with minimal filesystem permissions to limit blast radius of a successful exploit.
What systems are affected by CVE-2022-21740?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, batch inference, MLOps platforms.
What is the CVSS score for CVE-2022-21740?
CVE-2022-21740 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.78%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0029 Denial of AI Service AML.T0043 Craft Adversarial Data AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Tensorflow is an Open Source Machine Learning Framework. The implementation of `SparseCountSparseOutput` is vulnerable to a heap overflow. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Exploitation Scenario
An adversary with low-privileged API access to a TensorFlow Serving endpoint (e.g., a read-only API key or internal network access) crafts a malformed gRPC request invoking the SparseCountSparseOutput operation with manipulated sparse tensor indices designed to trigger an out-of-bounds write in count_ops.cc. The heap corruption allows the attacker to overwrite adjacent memory, ultimately achieving remote code execution in the TF Serving process. From there, the adversary can exfiltrate the deployed ML model weights and configuration, pivot to other internal services via the serving host's network access, or implant a backdoored model binary. In a shared ML platform (e.g., multi-tenant Kubeflow), a single tenant could exploit this to break isolation and access other tenants' models or training data.
Weaknesses (CWE)
CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.
- [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
- github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/count_ops.cc Exploit 3rd Party
- github.com/tensorflow/tensorflow/commit/2b7100d6cdff36aa21010a82269bc05a6d1cc74a Patch 3rd Party
- github.com/tensorflow/tensorflow/commit/adbbabdb0d3abb3cdeac69e38a96de1d678b24b3 Patch 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-44qp-9wwf-734r Patch 3rd Party
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow