CVE-2022-23563: TensorFlow TOC/TOU race

CISO Take

TensorFlow's use of mktemp() creates a race condition where a local attacker can hijack temp file paths between name generation and actual creation. In shared ML infrastructure — GPU clusters, multi-user Jupyter servers, HPC environments — a low-privilege user can redirect TensorFlow's temp writes to sensitive targets or extract training data. Patch immediately via pip upgrade; this is a one-command fix with no workaround otherwise.

What is the risk?

CVSS 6.3 Medium, but the real risk is context-dependent. Attack complexity is High (race condition timing), which limits opportunistic exploitation, but automated race condition tooling exists and reduces the bar. The local attack vector narrows exposure, yet shared ML training infrastructure is the norm in enterprise AI teams, where multiple users share the same filesystem. C:H/I:H impact means successful exploitation yields full read/write access to whatever data TensorFlow writes to temp storage — model checkpoints, data batches, serialized tensors. Not in CISA KEV, no public exploitation evidence; treat as medium-urgency patching.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

6.3 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC High

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade TensorFlow immediately: pip install --upgrade tensorflow — patches replace mktemp with mkstemp/mkdtemp across affected code paths.
Verify the patched commits are included in your installed version (check TF security advisory GHSA-wc4g-r73w-x8mm).
Harden shared ML infrastructure: isolate training jobs in containers or separate Linux user namespaces to eliminate same-filesystem coexistence with untrusted users.
Apply least-privilege: training service accounts should not share /tmp with interactive user sessions.
Short-term workaround if patching is delayed: set TMPDIR to a directory with restricted permissions (chmod 700) owned by the training user, eliminating race window for other users.
Detection: monitor /tmp with inotifywait for symlink creation events timed with TensorFlow training job activity.

How is it classified?

Supply Chain Data Leakage Code Execution Framework Training Data AML.T0010.001 - AI Software AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Information security in AI system development

NIST AI RMF

MANAGE 2.2 - Mechanisms for tracking identified AI risks over time are in place

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-23563?

TensorFlow's use of mktemp() creates a race condition where a local attacker can hijack temp file paths between name generation and actual creation. In shared ML infrastructure — GPU clusters, multi-user Jupyter servers, HPC environments — a low-privilege user can redirect TensorFlow's temp writes to sensitive targets or extract training data. Patch immediately via pip upgrade; this is a one-command fix with no workaround otherwise.

Is CVE-2022-23563 actively exploited?

No confirmed active exploitation of CVE-2022-23563 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-23563?

1. Upgrade TensorFlow immediately: pip install --upgrade tensorflow — patches replace mktemp with mkstemp/mkdtemp across affected code paths. 2. Verify the patched commits are included in your installed version (check TF security advisory GHSA-wc4g-r73w-x8mm). 3. Harden shared ML infrastructure: isolate training jobs in containers or separate Linux user namespaces to eliminate same-filesystem coexistence with untrusted users. 4. Apply least-privilege: training service accounts should not share /tmp with interactive user sessions. 5. Short-term workaround if patching is delayed: set TMPDIR to a directory with restricted permissions (chmod 700) owned by the training user, eliminating race window for other users. 6. Detection: monitor /tmp with inotifywait for symlink creation events timed with TensorFlow training job activity.

What systems are affected by CVE-2022-23563?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML development environments, shared ML infrastructure.

What is the CVSS score for CVE-2022-23563?

CVE-2022-23563 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.11%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingML development environmentsshared ML infrastructure

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0020 Poison Training Data

AML.T0025 Exfiltration via Cyber Means

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Tensorflow is an Open Source Machine Learning Framework. In multiple places, TensorFlow uses `tempfile.mktemp` to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in `mktemp` and the actual creation of the file by a subsequent operation (a TOC/TOU type of weakness). In several instances, TensorFlow was supposed to actually create a temporary directory instead of a file. This logic bug is hidden away by the `mktemp` function usage. We have patched the issue in several commits, replacing `mktemp` with the safer `mkstemp`/`mkdtemp` functions, according to the usage pattern. Users are advised to upgrade as soon as possible.

Exploitation Scenario

Attacker has low-privilege shell access to a shared GPU training server (common in university labs, HPC clusters, enterprise data science teams). They run a background watcher monitoring /tmp for filenames matching TensorFlow's temp naming patterns using inotify. A privileged ML pipeline job calls mktemp(), which returns a filename but does not yet create it. In the microsecond window before TensorFlow's next operation, the attacker creates a symlink at that exact path pointing to a sensitive target — for example, a cron file, a model registry path, or a world-readable location. TensorFlow proceeds unaware, writing training data or checkpoint content to the attacker's target. In the mkdtemp-should-have-been-used case, TensorFlow creates a file instead of a directory, causing crashes that mask the underlying manipulation. Net result: training data exfiltration or integrity compromise of model artifacts, depending on attacker objective.

Weaknesses (CWE)

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Primary CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition: The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

[Implementation] The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
[Implementation] When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Source: MITRE CWE corpus.