AI Threat Alert AI Threat Alert

CVE-2022-23559: TFLite: integer overflow in embedding lookup → heap OOB RW

HIGH PoC AVAILABLE CISA: ATTEND
Published February 4, 2022
CISO Take

Any service that accepts user-submitted TFLite model files is exposed to heap out-of-bounds read/write, which can lead to remote code execution with only low-privilege access and no user interaction required. If your organisation runs TFLite inference endpoints or pipelines that ingest externally supplied models, patch immediately and enforce strict model provenance controls. CVSS 8.8 with network vector and low complexity makes this trivially weaponisable by any authenticated API user.

Risk Assessment

High severity (CVSS 8.8). The attack requires only low privileges and zero user interaction, eliminating most practical barriers to exploitation. The integer overflow in embedding_size × lookup_size produces a heap OOB R/W primitive—a reliable stepping stone to RCE on the host running inference. Exposure is highest in multi-tenant model-serving platforms, ML-as-a-Service offerings, and CI/CD pipelines that automatically evaluate community-contributed models. Not in CISA KEV as of analysis date, but the low exploitation complexity warrants treatment as actively exploitable.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 67% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade TensorFlow to a version containing commits 1de4972, a4e401d, and f19be71 (released post-2022-02-04). Verify via pip show tensorflow and cross-check against TF security advisories.

  2. VALIDATE INPUTS

    Before passing a TFLite model to the interpreter, validate that embedding_size and lookup_size values are within safe bounds and their product does not overflow int32/int64.

  3. MODEL PROVENANCE

    Reject TFLite models from untrusted sources; enforce cryptographic signing of model artifacts in your ML pipeline.

  4. SANDBOX INFERENCE

    Run TFLite inference in isolated processes or containers with minimal filesystem and network permissions; use seccomp/AppArmor profiles.

  5. DETECT

    Monitor inference workers for anomalous memory access patterns (ASAN in staging, heap-hardening allocators in production). Alert on unexpected crashes or segfaults in TFLite interpreter processes.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Inference AML.T0010.001 AML.T0011.000 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.9.3 - AI system security
NIST AI RMF
MANAGE-2.2 - Risk treatments applied to deployed AI systems
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-23559?

Any service that accepts user-submitted TFLite model files is exposed to heap out-of-bounds read/write, which can lead to remote code execution with only low-privilege access and no user interaction required. If your organisation runs TFLite inference endpoints or pipelines that ingest externally supplied models, patch immediately and enforce strict model provenance controls. CVSS 8.8 with network vector and low complexity makes this trivially weaponisable by any authenticated API user.

Is CVE-2022-23559 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23559, increasing the risk of exploitation.

How to fix CVE-2022-23559?

1. PATCH: Upgrade TensorFlow to a version containing commits 1de4972, a4e401d, and f19be71 (released post-2022-02-04). Verify via `pip show tensorflow` and cross-check against TF security advisories. 2. VALIDATE INPUTS: Before passing a TFLite model to the interpreter, validate that embedding_size and lookup_size values are within safe bounds and their product does not overflow int32/int64. 3. MODEL PROVENANCE: Reject TFLite models from untrusted sources; enforce cryptographic signing of model artifacts in your ML pipeline. 4. SANDBOX INFERENCE: Run TFLite inference in isolated processes or containers with minimal filesystem and network permissions; use seccomp/AppArmor profiles. 5. DETECT: Monitor inference workers for anomalous memory access patterns (ASAN in staging, heap-hardening allocators in production). Alert on unexpected crashes or segfaults in TFLite interpreter processes.

What systems are affected by CVE-2022-23559?

This vulnerability affects the following AI/ML architecture patterns: TFLite edge inference, model serving, training pipelines, recommendation system inference, on-device ML (mobile/embedded).

What is the CVSS score for CVE-2022-23559?

CVE-2022-23559 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.52%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations. Both `embedding_size` and `lookup_size` are products of values provided by the user. Hence, a malicious user could trigger overflows in the multiplication. In certain scenarios, this can then result in heap OOB read/write. Users are advised to upgrade to a patched version.

Exploitation Scenario

An adversary with low-privilege access to an internal ML model evaluation service uploads a crafted TFLite model. The model contains a sparse embedding layer with manipulated metadata: embedding_size and lookup_size are chosen such that their product overflows a 32-bit integer, yielding a small allocation. Subsequent kernel operations write attacker-controlled data beyond the allocation boundary. With a suitable heap layout (achievable through multiple requests), the adversary overwrites adjacent allocator metadata or function pointers, redirecting execution to a shellcode stub or ROP chain. The inference worker process is compromised, granting access to model weights, inference request data, and potentially the host if container hardening is absent.

Weaknesses (CWE)

CWE-190 Primary CWE-190

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 4, 2022
Last Modified
November 21, 2024
First Seen
February 4, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed