AI Threat Alert AI Threat Alert

CVE-2022-21740: TensorFlow: heap overflow in sparse ops, RCE risk

HIGH PoC AVAILABLE
Published February 3, 2022
CISO Take

CVE-2022-21740 is a heap overflow (CVSS 8.8) in TensorFlow's SparseCountSparseOutput kernel, exploitable by any low-privileged user over the network with no user interaction required — meaning any authenticated API caller against a TF Serving endpoint can trigger it. Patch to TF 2.8.0 / 2.7.1 / 2.6.3 / 2.5.3 immediately and audit network exposure of all TensorFlow Serving instances. If patching is not immediately possible, restrict inference API access to trusted internal networks and enforce strict input validation on sparse tensor payloads.

Risk Assessment

HIGH. The combination of network-reachable attack vector, low complexity, and low privilege requirement makes this trivially exploitable by any authenticated API user — no AI/ML expertise needed. Full CIA impact (C:H/I:H/A:H) means a successful exploit on a TF Serving node could yield remote code execution, full model exfiltration, or complete service disruption. Exposure is broad: TensorFlow is the most widely deployed ML framework; any organization running TF Serving or processing untrusted sparse tensor inputs is at risk. Not in CISA KEV at time of analysis, but the exploit path is well-documented in the public advisory.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 54% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade TensorFlow to 2.8.0, or apply cherrypick patches to 2.7.1, 2.6.3, or 2.5.3. Commits 2b7100d and adbbaba are the authoritative fixes.

  2. NETWORK SEGMENTATION

    Restrict TensorFlow Serving gRPC/REST endpoints to internal networks; block public exposure immediately if not patched.

  3. INPUT VALIDATION

    Reject or sanitize sparse tensor inputs at the API gateway layer before they reach the TF runtime — validate tensor dimensions and value ranges.

  4. DETECTION

    Alert on abnormal TF Serving process crashes or restarts; monitor for heap corruption signals (SIGABRT, SIGSEGV) in TF process logs.

  5. INVENTORY

    Run pip show tensorflow across all ML infrastructure nodes; include TF version in your software asset inventory and patch management process.

  6. LEAST PRIVILEGE

    Ensure TF Serving processes run as non-root with minimal filesystem permissions to limit blast radius of a successful exploit.

Classification

Code Execution DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0043 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI system security and resilience
NIST AI RMF
MANAGE 4.1 - Residual risks and vulnerabilities are monitored and managed
OWASP LLM Top 10
LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-21740?

CVE-2022-21740 is a heap overflow (CVSS 8.8) in TensorFlow's SparseCountSparseOutput kernel, exploitable by any low-privileged user over the network with no user interaction required — meaning any authenticated API caller against a TF Serving endpoint can trigger it. Patch to TF 2.8.0 / 2.7.1 / 2.6.3 / 2.5.3 immediately and audit network exposure of all TensorFlow Serving instances. If patching is not immediately possible, restrict inference API access to trusted internal networks and enforce strict input validation on sparse tensor payloads.

Is CVE-2022-21740 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-21740, increasing the risk of exploitation.

How to fix CVE-2022-21740?

1. PATCH: Upgrade TensorFlow to 2.8.0, or apply cherrypick patches to 2.7.1, 2.6.3, or 2.5.3. Commits 2b7100d and adbbaba are the authoritative fixes. 2. NETWORK SEGMENTATION: Restrict TensorFlow Serving gRPC/REST endpoints to internal networks; block public exposure immediately if not patched. 3. INPUT VALIDATION: Reject or sanitize sparse tensor inputs at the API gateway layer before they reach the TF runtime — validate tensor dimensions and value ranges. 4. DETECTION: Alert on abnormal TF Serving process crashes or restarts; monitor for heap corruption signals (SIGABRT, SIGSEGV) in TF process logs. 5. INVENTORY: Run `pip show tensorflow` across all ML infrastructure nodes; include TF version in your software asset inventory and patch management process. 6. LEAST PRIVILEGE: Ensure TF Serving processes run as non-root with minimal filesystem permissions to limit blast radius of a successful exploit.

What systems are affected by CVE-2022-21740?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, batch inference, MLOps platforms.

What is the CVSS score for CVE-2022-21740?

CVE-2022-21740 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.31%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. The implementation of `SparseCountSparseOutput` is vulnerable to a heap overflow. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privileged API access to a TensorFlow Serving endpoint (e.g., a read-only API key or internal network access) crafts a malformed gRPC request invoking the SparseCountSparseOutput operation with manipulated sparse tensor indices designed to trigger an out-of-bounds write in count_ops.cc. The heap corruption allows the attacker to overwrite adjacent memory, ultimately achieving remote code execution in the TF Serving process. From there, the adversary can exfiltrate the deployed ML model weights and configuration, pivot to other internal services via the serving host's network access, or implant a backdoored model binary. In a shared ML platform (e.g., multi-tenant Kubeflow), a single tenant could exploit this to break isolation and access other tenants' models or training data.

Weaknesses (CWE)

CWE-787 Primary CWE-787

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 3, 2022
Last Modified
May 5, 2025
First Seen
February 3, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed