CVE-2022-23564 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Any authenticated user can crash TensorFlow processes by sending malformed protobuf resource handle tensors — no ML expertise required, just knowledge of the wire format. ML inference services and training pipelines exposed to user-supplied data are directly at risk of availability loss. Patch to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 and restrict inference API access to authorized users only.

Risk Assessment

Medium severity with real operational impact in production ML environments. Network-exploitable (AV:N), low complexity (AC:L), and only low privileges required (PR:L) means any authenticated API user or insider can trigger this. No active exploitation and absent from CISA KEV, but the trivially low barrier to cause a process crash makes this a legitimate availability risk for exposed TensorFlow serving infrastructure — especially in multi-tenant or SaaS ML platforms.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 30% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

1 step

1) Patch: upgrade to TensorFlow 2.8.0 or apply cherrypick to 2.7.1 / 2.6.3 / 2.5.3. 2) Access control: restrict TFServing and inference API endpoints to authenticated and authorized users — never expose raw TF serving publicly. 3) Input validation: reject or sanitize protobuf payloads at the API gateway layer before they reach the TF runtime. 4) Process isolation: run inference workers in containers or separate processes so a CHECK-triggered abort does not cascade to the full service. 5) Detection: alert on abnormal TF worker exit rates or CHECK assertion errors in application and system logs.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system robustness and resilience

NIST AI RMF

MANAGE-2.2 - Risk treatment and response mechanisms

Frequently Asked Questions

What is CVE-2022-23564?

Any authenticated user can crash TensorFlow processes by sending malformed protobuf resource handle tensors — no ML expertise required, just knowledge of the wire format. ML inference services and training pipelines exposed to user-supplied data are directly at risk of availability loss. Patch to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 and restrict inference API access to authorized users only.

Is CVE-2022-23564 actively exploited?

No confirmed active exploitation of CVE-2022-23564 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-23564?

1) Patch: upgrade to TensorFlow 2.8.0 or apply cherrypick to 2.7.1 / 2.6.3 / 2.5.3. 2) Access control: restrict TFServing and inference API endpoints to authenticated and authorized users — never expose raw TF serving publicly. 3) Input validation: reject or sanitize protobuf payloads at the API gateway layer before they reach the TF runtime. 4) Process isolation: run inference workers in containers or separate processes so a CHECK-triggered abort does not cascade to the full service. 5) Detection: alert on abnormal TF worker exit rates or CHECK assertion errors in application and system logs.

What systems are affected by CVE-2022-23564?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs.

What is the CVSS score for CVE-2022-23564?

CVE-2022-23564 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.12%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a `CHECK` assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege access to a TensorFlow inference API crafts a protobuf payload containing a malformed resource handle tensor. When TFServing or a custom TF application deserializes this payload, the runtime hits an invalid CHECK assertion during decoding and aborts the process. By automating this request, the attacker can keep the inference service in a crash loop, causing sustained downtime for any business logic dependent on model inference — without needing adversarial ML knowledge, only familiarity with the protobuf wire format and the affected TF API endpoint.