AI Threat Alert
CVE-2022-23564: TensorFlow: DoS via reachable assertion in protobuf decode
MEDIUMAny authenticated user can crash TensorFlow processes by sending malformed protobuf resource handle tensors — no ML expertise required, just knowledge of the wire format. ML inference services and training pipelines exposed to user-supplied data are directly at risk of availability loss. Patch to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 and restrict inference API access to authorized users only.
What is the risk?
Medium severity with real operational impact in production ML environments. Network-exploitable (AV:N), low complexity (AC:L), and only low privileges required (PR:L) means any authenticated API user or insider can trigger this. No active exploitation and absent from CISA KEV, but the trivially low barrier to cause a process crash makes this a legitimate availability risk for exposed TensorFlow serving infrastructure — especially in multi-tenant or SaaS ML platforms.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Patch: upgrade to TensorFlow 2.8.0 or apply cherrypick to 2.7.1 / 2.6.3 / 2.5.3. 2) Access control: restrict TFServing and inference API endpoints to authenticated and authorized users — never expose raw TF serving publicly. 3) Input validation: reject or sanitize protobuf payloads at the API gateway layer before they reach the TF runtime. 4) Process isolation: run inference workers in containers or separate processes so a CHECK-triggered abort does not cascade to the full service. 5) Detection: alert on abnormal TF worker exit rates or CHECK assertion errors in application and system logs.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2022-23564?
Any authenticated user can crash TensorFlow processes by sending malformed protobuf resource handle tensors — no ML expertise required, just knowledge of the wire format. ML inference services and training pipelines exposed to user-supplied data are directly at risk of availability loss. Patch to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 and restrict inference API access to authorized users only.
Is CVE-2022-23564 actively exploited?
No confirmed active exploitation of CVE-2022-23564 has been reported, but organizations should still patch proactively.
How to fix CVE-2022-23564?
1) Patch: upgrade to TensorFlow 2.8.0 or apply cherrypick to 2.7.1 / 2.6.3 / 2.5.3. 2) Access control: restrict TFServing and inference API endpoints to authenticated and authorized users — never expose raw TF serving publicly. 3) Input validation: reject or sanitize protobuf payloads at the API gateway layer before they reach the TF runtime. 4) Process isolation: run inference workers in containers or separate processes so a CHECK-triggered abort does not cascade to the full service. 5) Detection: alert on abnormal TF worker exit rates or CHECK assertion errors in application and system logs.
What systems are affected by CVE-2022-23564?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs.
What is the CVSS score for CVE-2022-23564?
CVE-2022-23564 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.46%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0040 AI Model Inference API Access AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Tensorflow is an Open Source Machine Learning Framework. When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a `CHECK` assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Exploitation Scenario
An attacker with low-privilege access to a TensorFlow inference API crafts a protobuf payload containing a malformed resource handle tensor. When TFServing or a custom TF application deserializes this payload, the runtime hits an invalid CHECK assertion during decoding and aborts the process. By automating this request, the attacker can keep the inference service in a crash loop, causing sustained downtime for any business logic dependent on model inference — without needing adversarial ML knowledge, only familiarity with the protobuf wire format and the affected TF API endpoint.
Weaknesses (CWE)
CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
- [Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
- [Implementation] Perform input validation on user data.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow