AI Threat Alert AI Threat Alert

CVE-2022-23562: TensorFlow: Range integer overflow, RCE/DoS risk

HIGH
Published February 4, 2022
CISO Take

Upgrade TensorFlow immediately to 2.8.0, 2.7.1, 2.6.3, or 2.5.3. Any deployment accepting user-controlled tensor data over a network is exploitable by low-privileged attackers with no user interaction required. Prioritize inference APIs and multi-tenant ML platforms where untrusted inputs reach the framework.

Risk Assessment

High risk (CVSS 8.8). Network-accessible, low complexity, low privileges required — exploitable remotely with minimal skill. The integer overflow in the Range op triggers undefined behavior (potential RCE) or massive memory allocations (DoS). TensorFlow's ubiquity in production ML infrastructure significantly widens the exposure surface. No active exploitation reported and not in CISA KEV, but the low barrier to exploitation demands prompt patching.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 58% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

4 steps

  1. Patch: Upgrade to TensorFlow 2.8.0 or apply cherry-picks in 2.7.1/2.6.3/2.5.3.

  2. Workaround: Enforce bounds validation on all integer inputs to tf.range() at API boundaries — reject start/limit/delta values outside sane operational ranges before they reach TensorFlow.

  3. Detection: Alert on anomalous memory spikes and OOM errors in TensorFlow processes; audit inference API logs for malformed tensor operation requests.

  4. Isolation: Run TensorFlow serving containers with memory limits (--memory flag) to cap DoS blast radius and restrict process permissions to limit RCE impact.

Classification

Code Execution DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2 - AI system risk assessment
NIST AI RMF
MANAGE-2.2 - AI Risk Response
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-23562?

Upgrade TensorFlow immediately to 2.8.0, 2.7.1, 2.6.3, or 2.5.3. Any deployment accepting user-controlled tensor data over a network is exploitable by low-privileged attackers with no user interaction required. Prioritize inference APIs and multi-tenant ML platforms where untrusted inputs reach the framework.

Is CVE-2022-23562 actively exploited?

No confirmed active exploitation of CVE-2022-23562 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-23562?

1. Patch: Upgrade to TensorFlow 2.8.0 or apply cherry-picks in 2.7.1/2.6.3/2.5.3. 2. Workaround: Enforce bounds validation on all integer inputs to tf.range() at API boundaries — reject start/limit/delta values outside sane operational ranges before they reach TensorFlow. 3. Detection: Alert on anomalous memory spikes and OOM errors in TensorFlow processes; audit inference API logs for malformed tensor operation requests. 4. Isolation: Run TensorFlow serving containers with memory limits (--memory flag) to cap DoS blast radius and restrict process permissions to limit RCE impact.

What systems are affected by CVE-2022-23562?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference API, ML platforms, notebook/Jupyter environments.

What is the CVSS score for CVE-2022-23562?

CVE-2022-23562 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.36%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. The implementation of `Range` suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with a low-privileged account on a TensorFlow-based model serving platform submits a crafted inference request containing a Range operation with carefully chosen integer values designed to overflow. This triggers either a massive heap allocation that crashes the inference server (taking down all users) or memory corruption that, under exploitable memory layout conditions, enables code execution within the TF serving process — potentially exfiltrating loaded model weights, API keys in environment variables, or establishing a foothold in the ML infrastructure.

Weaknesses (CWE)

CWE-190

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 4, 2022
Last Modified
November 21, 2024
First Seen
February 4, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed