AI Threat Alert
CVE-2022-23562: TensorFlow: Range integer overflow, RCE/DoS risk
HIGHUpgrade TensorFlow immediately to 2.8.0, 2.7.1, 2.6.3, or 2.5.3. Any deployment accepting user-controlled tensor data over a network is exploitable by low-privileged attackers with no user interaction required. Prioritize inference APIs and multi-tenant ML platforms where untrusted inputs reach the framework.
What is the risk?
High risk (CVSS 8.8). Network-accessible, low complexity, low privileges required — exploitable remotely with minimal skill. The integer overflow in the Range op triggers undefined behavior (potential RCE) or massive memory allocations (DoS). TensorFlow's ubiquity in production ML infrastructure significantly widens the exposure surface. No active exploitation reported and not in CISA KEV, but the low barrier to exploitation demands prompt patching.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
4 steps-
Patch: Upgrade to TensorFlow 2.8.0 or apply cherry-picks in 2.7.1/2.6.3/2.5.3.
-
Workaround: Enforce bounds validation on all integer inputs to tf.range() at API boundaries — reject start/limit/delta values outside sane operational ranges before they reach TensorFlow.
-
Detection: Alert on anomalous memory spikes and OOM errors in TensorFlow processes; audit inference API logs for malformed tensor operation requests.
-
Isolation: Run TensorFlow serving containers with memory limits (--memory flag) to cap DoS blast radius and restrict process permissions to limit RCE impact.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2022-23562?
Upgrade TensorFlow immediately to 2.8.0, 2.7.1, 2.6.3, or 2.5.3. Any deployment accepting user-controlled tensor data over a network is exploitable by low-privileged attackers with no user interaction required. Prioritize inference APIs and multi-tenant ML platforms where untrusted inputs reach the framework.
Is CVE-2022-23562 actively exploited?
No confirmed active exploitation of CVE-2022-23562 has been reported, but organizations should still patch proactively.
How to fix CVE-2022-23562?
1. Patch: Upgrade to TensorFlow 2.8.0 or apply cherry-picks in 2.7.1/2.6.3/2.5.3. 2. Workaround: Enforce bounds validation on all integer inputs to tf.range() at API boundaries — reject start/limit/delta values outside sane operational ranges before they reach TensorFlow. 3. Detection: Alert on anomalous memory spikes and OOM errors in TensorFlow processes; audit inference API logs for malformed tensor operation requests. 4. Isolation: Run TensorFlow serving containers with memory limits (--memory flag) to cap DoS blast radius and restrict process permissions to limit RCE impact.
What systems are affected by CVE-2022-23562?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference API, ML platforms, notebook/Jupyter environments.
What is the CVSS score for CVE-2022-23562?
CVE-2022-23562 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.57%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0029 Denial of AI Service AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Tensorflow is an Open Source Machine Learning Framework. The implementation of `Range` suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Exploitation Scenario
An adversary with a low-privileged account on a TensorFlow-based model serving platform submits a crafted inference request containing a Range operation with carefully chosen integer values designed to overflow. This triggers either a massive heap allocation that crashes the inference server (taking down all users) or memory corruption that, under exploitable memory layout conditions, enables code execution within the TF serving process — potentially exfiltrating loaded model weights, API keys in environment variables, or establishing a foothold in the ML infrastructure.
Weaknesses (CWE)
CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
- [Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
- [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow