AI Threat Alert
CVE-2022-23559: TFLite: integer overflow in embedding lookup → heap OOB RW
HIGH PoC AVAILABLE CISA: ATTENDAny service that accepts user-submitted TFLite model files is exposed to heap out-of-bounds read/write, which can lead to remote code execution with only low-privilege access and no user interaction required. If your organisation runs TFLite inference endpoints or pipelines that ingest externally supplied models, patch immediately and enforce strict model provenance controls. CVSS 8.8 with network vector and low complexity makes this trivially weaponisable by any authenticated API user.
What is the risk?
High severity (CVSS 8.8). The attack requires only low privileges and zero user interaction, eliminating most practical barriers to exploitation. The integer overflow in embedding_size × lookup_size produces a heap OOB R/W primitive—a reliable stepping stone to RCE on the host running inference. Exposure is highest in multi-tenant model-serving platforms, ML-as-a-Service offerings, and CI/CD pipelines that automatically evaluate community-contributed models. Not in CISA KEV as of analysis date, but the low exploitation complexity warrants treatment as actively exploitable.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade TensorFlow to a version containing commits 1de4972, a4e401d, and f19be71 (released post-2022-02-04). Verify via
pip show tensorflowand cross-check against TF security advisories. -
VALIDATE INPUTS
Before passing a TFLite model to the interpreter, validate that embedding_size and lookup_size values are within safe bounds and their product does not overflow int32/int64.
-
MODEL PROVENANCE
Reject TFLite models from untrusted sources; enforce cryptographic signing of model artifacts in your ML pipeline.
-
SANDBOX INFERENCE
Run TFLite inference in isolated processes or containers with minimal filesystem and network permissions; use seccomp/AppArmor profiles.
-
DETECT
Monitor inference workers for anomalous memory access patterns (ASAN in staging, heap-hardening allocators in production). Alert on unexpected crashes or segfaults in TFLite interpreter processes.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2022-23559?
Any service that accepts user-submitted TFLite model files is exposed to heap out-of-bounds read/write, which can lead to remote code execution with only low-privilege access and no user interaction required. If your organisation runs TFLite inference endpoints or pipelines that ingest externally supplied models, patch immediately and enforce strict model provenance controls. CVSS 8.8 with network vector and low complexity makes this trivially weaponisable by any authenticated API user.
Is CVE-2022-23559 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2022-23559, increasing the risk of exploitation.
How to fix CVE-2022-23559?
1. PATCH: Upgrade TensorFlow to a version containing commits 1de4972, a4e401d, and f19be71 (released post-2022-02-04). Verify via `pip show tensorflow` and cross-check against TF security advisories. 2. VALIDATE INPUTS: Before passing a TFLite model to the interpreter, validate that embedding_size and lookup_size values are within safe bounds and their product does not overflow int32/int64. 3. MODEL PROVENANCE: Reject TFLite models from untrusted sources; enforce cryptographic signing of model artifacts in your ML pipeline. 4. SANDBOX INFERENCE: Run TFLite inference in isolated processes or containers with minimal filesystem and network permissions; use seccomp/AppArmor profiles. 5. DETECT: Monitor inference workers for anomalous memory access patterns (ASAN in staging, heap-hardening allocators in production). Alert on unexpected crashes or segfaults in TFLite interpreter processes.
What systems are affected by CVE-2022-23559?
This vulnerability affects the following AI/ML architecture patterns: TFLite edge inference, model serving, training pipelines, recommendation system inference, on-device ML (mobile/embedded).
What is the CVSS score for CVE-2022-23559?
CVE-2022-23559 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.16%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations. Both `embedding_size` and `lookup_size` are products of values provided by the user. Hence, a malicious user could trigger overflows in the multiplication. In certain scenarios, this can then result in heap OOB read/write. Users are advised to upgrade to a patched version.
Exploitation Scenario
An adversary with low-privilege access to an internal ML model evaluation service uploads a crafted TFLite model. The model contains a sparse embedding layer with manipulated metadata: embedding_size and lookup_size are chosen such that their product overflows a 32-bit integer, yielding a small allocation. Subsequent kernel operations write attacker-controlled data beyond the allocation boundary. With a suitable heap layout (achievable through multiple requests), the adversary overwrites adjacent allocator metadata or function pointers, redirecting execution to a shellcode stub or ROP chain. The inference worker process is compromised, granting access to model weights, inference request data, and potentially the host if container hardening is absent.
Weaknesses (CWE)
CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
- [Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
- [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
- github.com/tensorflow/tensorflow/blob/ca6f96b62ad84207fbec580404eaa7dd7403a550/tensorflow/lite/kernels/embedding_lookup_sparse.cc Exploit 3rd Party
- github.com/tensorflow/tensorflow/commit/1de49725a5fc4e48f1a3b902ec3599ee99283043 Patch 3rd Party
- github.com/tensorflow/tensorflow/commit/a4e401da71458d253b05e41f28637b65baf64be4 Patch 3rd Party
- github.com/tensorflow/tensorflow/commit/f19be71717c497723ba0cea0379e84f061a75e01 Patch 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-98p5-x8x4-c9m5 Patch 3rd Party
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow