AI Threat Alert
CVE-2022-23561: TensorFlow Lite: OOB write, arbitrary write primitive
HIGHAny pipeline that loads TFLite model files from untrusted or user-controlled sources is vulnerable to arbitrary memory writes, with a realistic path to code execution inside the inference process. Patch immediately to TensorFlow 2.8.0 (or backports 2.7.1/2.6.3/2.5.3) and restrict model loading to cryptographically verified artifacts. If you operate edge inference, federated learning nodes, or model-upload APIs built on TFLite, treat this as a critical remediation item.
What is the risk?
CVSS 8.8 with network vector, low complexity, and low privilege requirement makes this highly actionable for any attacker with access to a model ingestion endpoint. The ability to corrupt the memory allocator's linked list elevates a heap OOB write to an arbitrary write primitive — a well-understood building block for full RCE on predictable heap layouts common in containerized ML serving. Not in CISA KEV, suggesting limited confirmed active exploitation, but the exploit primitive is elementary for a motivated attacker with binary exploitation skills. TFLite's broad deployment across mobile, edge, and server inference expands the attack surface considerably.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch: upgrade to TensorFlow 2.8.0, or apply cherry-picks to 2.7.1, 2.6.3, or 2.5.3 as applicable.
-
Model provenance: only load TFLite models from cryptographically signed, hash-verified sources — reject unsigned or externally sourced model files.
-
Sandboxing: isolate TFLite model loading and inference in separate processes or containers with restricted syscall profiles (seccomp, gVisor) to contain blast radius.
-
Input validation: implement flatbuffer schema validation and size-limit checks before model parsing.
-
Network controls: enforce strict allowlisting on which services can submit model files to inference endpoints.
-
Detection: monitor inference processes for heap corruption signals (SIGSEGV, heap sanitizer output, unexpected process crashes) and alert on anomalous model file submissions.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2022-23561?
Any pipeline that loads TFLite model files from untrusted or user-controlled sources is vulnerable to arbitrary memory writes, with a realistic path to code execution inside the inference process. Patch immediately to TensorFlow 2.8.0 (or backports 2.7.1/2.6.3/2.5.3) and restrict model loading to cryptographically verified artifacts. If you operate edge inference, federated learning nodes, or model-upload APIs built on TFLite, treat this as a critical remediation item.
Is CVE-2022-23561 actively exploited?
No confirmed active exploitation of CVE-2022-23561 has been reported, but organizations should still patch proactively.
How to fix CVE-2022-23561?
1. Patch: upgrade to TensorFlow 2.8.0, or apply cherry-picks to 2.7.1, 2.6.3, or 2.5.3 as applicable. 2. Model provenance: only load TFLite models from cryptographically signed, hash-verified sources — reject unsigned or externally sourced model files. 3. Sandboxing: isolate TFLite model loading and inference in separate processes or containers with restricted syscall profiles (seccomp, gVisor) to contain blast radius. 4. Input validation: implement flatbuffer schema validation and size-limit checks before model parsing. 5. Network controls: enforce strict allowlisting on which services can submit model files to inference endpoints. 6. Detection: monitor inference processes for heap corruption signals (SIGSEGV, heap sanitizer output, unexpected process crashes) and alert on anomalous model file submissions.
What systems are affected by CVE-2022-23561?
This vulnerability affects the following AI/ML architecture patterns: model serving, edge AI / on-device inference, federated learning nodes, training pipelines, model registries and marketplaces.
What is the CVSS score for CVE-2022-23561?
CVE-2022-23561 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.53%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0018 Manipulate AI Model AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause a write outside of bounds of an array in TFLite. In fact, the attacker can override the linked list used by the memory allocator. This can be leveraged for an arbitrary write primitive under certain conditions. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Exploitation Scenario
An adversary with low-privilege access to an ML inference API — for example, a model-upload endpoint in a federated learning platform or an internal model testing service — crafts a malformed TFLite flatbuffer file with a specially structured memory allocator region. When the TFLite runtime parses the file, it performs an out-of-bounds write that overwrites the allocator's linked list metadata. On a containerized inference server with a predictable heap layout, the adversary uses this arbitrary write primitive to overwrite a function pointer, redirecting execution to shellcode or a ROP chain. From the compromised inference container the adversary can exfiltrate proprietary model weights, poison inference responses, or pivot laterally within the ML platform's internal network.
Weaknesses (CWE)
CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.
- [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow