AI Threat Alert

CVE-2022-23566: TensorFlow: heap OOB write in Grappler, RCE risk

HIGH PoC AVAILABLE CISA: ATTEND
Published February 4, 2022
CISO Take

This heap out-of-bounds write in TensorFlow's graph optimizer (Grappler) is network-exploitable with low privileges and no user interaction—a dangerous combination for any ML serving infrastructure. Any TensorFlow deployment accepting model inputs from low-trust users is at risk of remote code execution. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately; there are no viable workarounds.

What is the risk?

High severity (CVSS 8.8). The combination of network accessibility, low attack complexity, and low privilege requirement makes this high-priority for remediation. TensorFlow is widely deployed in training and inference pipelines, often in multi-tenant environments. A write primitive in Grappler can be leveraged for arbitrary code execution, threatening the confidentiality, integrity, and availability of ML infrastructure. Not currently in CISA KEV, but exploit primitives are publicly documented in the GitHub advisory.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.9%
chance of exploitation in 30 days
Higher than 55% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Upgrade TensorFlow to 2.8.0+, or apply cherry-picks targeting 2.7.1, 2.6.3, or 2.5.3.

  2. If immediate patching is blocked, restrict TF inference endpoint access to trusted principals via network ACLs or service mesh policy.

  3. Run TF serving processes in isolated containers or sandboxed VMs to contain blast radius.

  4. Monitor audit logs for anomalous graph submissions or unexpected Grappler-level errors that may indicate exploitation attempts.

  5. Building from source: apply commit 97282c6d0d34476b6ba033f961590b783fa184cd directly.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0043 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.3 - Technical robustness and safety of AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MAP 5.1 - Likelihood and magnitude of each identified impact based on impacts to individuals, groups, communities, organizations, and society

Frequently Asked Questions

What is CVE-2022-23566?

This heap out-of-bounds write in TensorFlow's graph optimizer (Grappler) is network-exploitable with low privileges and no user interaction—a dangerous combination for any ML serving infrastructure. Any TensorFlow deployment accepting model inputs from low-trust users is at risk of remote code execution. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately; there are no viable workarounds.

Is CVE-2022-23566 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23566, increasing the risk of exploitation.

How to fix CVE-2022-23566?

1. Upgrade TensorFlow to 2.8.0+, or apply cherry-picks targeting 2.7.1, 2.6.3, or 2.5.3. 2. If immediate patching is blocked, restrict TF inference endpoint access to trusted principals via network ACLs or service mesh policy. 3. Run TF serving processes in isolated containers or sandboxed VMs to contain blast radius. 4. Monitor audit logs for anomalous graph submissions or unexpected Grappler-level errors that may indicate exploitation attempts. 5. Building from source: apply commit 97282c6d0d34476b6ba033f961590b783fa184cd directly.

What systems are affected by CVE-2022-23566?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML platforms, TFX/Kubeflow pipelines, federated learning infrastructure.

What is the CVSS score for CVE-2022-23566?

CVE-2022-23566 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.91%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingML platformsTFX/Kubeflow pipelinesfederated learning infrastructure

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0043 Craft Adversarial Data
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.10.3
NIST AI RMF: MANAGE 2.2, MAP 5.1

What are the technical details?

Original Advisory

Tensorflow is an Open Source Machine Learning Framework. TensorFlow is vulnerable to a heap OOB write in `Grappler`. The `set_output` function writes to an array at the specified index. Hence, this gives a malicious user a write primitive. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with a low-privilege account on a multi-tenant ML platform—such as a shared Jupyter environment, TFX endpoint, or model-as-a-service API—crafts a malicious TensorFlow computational graph that triggers the OOB write in Grappler's set_output by supplying an out-of-range index. With control over the write primitive, the attacker overwrites function pointers or heap metadata to achieve code execution under the ML serving process identity. From there, they pivot to model storage, training datasets, or internal network resources.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 4, 2022
Last Modified
November 21, 2024
First Seen
February 4, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed