CVE-2022-23566 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

This heap out-of-bounds write in TensorFlow's graph optimizer (Grappler) is network-exploitable with low privileges and no user interaction—a dangerous combination for any ML serving infrastructure. Any TensorFlow deployment accepting model inputs from low-trust users is at risk of remote code execution. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately; there are no viable workarounds.

Risk Assessment

High severity (CVSS 8.8). The combination of network accessibility, low attack complexity, and low privilege requirement makes this high-priority for remediation. TensorFlow is widely deployed in training and inference pipelines, often in multi-tenant environments. A write primitive in Grappler can be leveraged for arbitrary code execution, threatening the confidentiality, integrity, and availability of ML infrastructure. Not currently in CISA KEV, but exploit primitives are publicly documented in the GitHub advisory.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 60% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.8.0+, or apply cherry-picks targeting 2.7.1, 2.6.3, or 2.5.3.
If immediate patching is blocked, restrict TF inference endpoint access to trusted principals via network ACLs or service mesh policy.
Run TF serving processes in isolated containers or sandboxed VMs to contain blast radius.
Monitor audit logs for anomalous graph submissions or unexpected Grappler-level errors that may indicate exploitation attempts.
Building from source: apply commit 97282c6d0d34476b6ba033f961590b783fa184cd directly.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.3 - Technical robustness and safety of AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MAP 5.1 - Likelihood and magnitude of each identified impact based on impacts to individuals, groups, communities, organizations, and society

Frequently Asked Questions

What is CVE-2022-23566?

This heap out-of-bounds write in TensorFlow's graph optimizer (Grappler) is network-exploitable with low privileges and no user interaction—a dangerous combination for any ML serving infrastructure. Any TensorFlow deployment accepting model inputs from low-trust users is at risk of remote code execution. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately; there are no viable workarounds.

Is CVE-2022-23566 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23566, increasing the risk of exploitation.

How to fix CVE-2022-23566?

1. Upgrade TensorFlow to 2.8.0+, or apply cherry-picks targeting 2.7.1, 2.6.3, or 2.5.3. 2. If immediate patching is blocked, restrict TF inference endpoint access to trusted principals via network ACLs or service mesh policy. 3. Run TF serving processes in isolated containers or sandboxed VMs to contain blast radius. 4. Monitor audit logs for anomalous graph submissions or unexpected Grappler-level errors that may indicate exploitation attempts. 5. Building from source: apply commit 97282c6d0d34476b6ba033f961590b783fa184cd directly.

What systems are affected by CVE-2022-23566?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML platforms, TFX/Kubeflow pipelines, federated learning infrastructure.

What is the CVSS score for CVE-2022-23566?

CVE-2022-23566 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.39%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. TensorFlow is vulnerable to a heap OOB write in `Grappler`. The `set_output` function writes to an array at the specified index. Hence, this gives a malicious user a write primitive. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with a low-privilege account on a multi-tenant ML platform—such as a shared Jupyter environment, TFX endpoint, or model-as-a-service API—crafts a malicious TensorFlow computational graph that triggers the OOB write in Grappler's set_output by supplying an out-of-range index. With control over the write primitive, the attacker overwrites function pointers or heap metadata to achieve code execution under the ML serving process identity. From there, they pivot to model storage, training datasets, or internal network resources.