CVE-2022-23572 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

A network-accessible, low-privilege attacker can crash TensorFlow model serving instances by triggering a shape inference failure in production builds—DCHECK is silently skipped, execution hits ValueOrDie with an error Status, and the process crashes. Patch to TF 2.8.0, 2.7.1, or 2.6.3 immediately on any inference endpoint exposed to untrusted users. No confidentiality or integrity risk, but availability impact is real for AI serving infrastructure.

Risk Assessment

Medium operational risk. CVSS 6.5 (AV:N/AC:L/PR:L/UI:N/A:H) reflects network reachability with low-privilege access—a low bar for authenticated multi-tenant model serving platforms. The production build behavior (silent DCHECK skip → crash) is more dangerous than the debug behavior. No active exploitation or KEV listing, but the reliability of the crash path makes it a plausible availability weapon against shared inference infrastructure. Orgs running TF in production serving with user-controlled inputs are most exposed.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 66% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.8.0, 2.7.1, or 2.6.3 (fixes included via cherry-pick).
ISOLATE

If patching is delayed, restrict model serving endpoints to authenticated internal users only—remove public-facing exposure.
INPUT VALIDATION

Add server-side tensor shape validation before passing inputs to TF inference; reject malformed or unexpected shape combinations.
MONITOR

Alert on abnormal TF serving process crashes or restart loops—these are the primary behavioral indicator.
SANDBOXING

Run TF inference workers as isolated processes or containers so a crash does not cascade to the broader platform.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness, and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN 6.1 - Policies for third-party and AI supply chain risk MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

Frequently Asked Questions

What is CVE-2022-23572?

A network-accessible, low-privilege attacker can crash TensorFlow model serving instances by triggering a shape inference failure in production builds—DCHECK is silently skipped, execution hits ValueOrDie with an error Status, and the process crashes. Patch to TF 2.8.0, 2.7.1, or 2.6.3 immediately on any inference endpoint exposed to untrusted users. No confidentiality or integrity risk, but availability impact is real for AI serving infrastructure.

Is CVE-2022-23572 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23572, increasing the risk of exploitation.

How to fix CVE-2022-23572?

1. PATCH: Upgrade to TensorFlow 2.8.0, 2.7.1, or 2.6.3 (fixes included via cherry-pick). 2. ISOLATE: If patching is delayed, restrict model serving endpoints to authenticated internal users only—remove public-facing exposure. 3. INPUT VALIDATION: Add server-side tensor shape validation before passing inputs to TF inference; reject malformed or unexpected shape combinations. 4. MONITOR: Alert on abnormal TF serving process crashes or restart loops—these are the primary behavioral indicator. 5. SANDBOXING: Run TF inference workers as isolated processes or containers so a crash does not cascade to the broader platform.

What systems are affected by CVE-2022-23572?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, MLOps platforms.

What is the CVSS score for CVE-2022-23572?

CVE-2022-23572 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.51%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, TensorFlow can fail to specialize a type during shape inference. This case is covered by the `DCHECK` function however, `DCHECK` is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the `ValueOrDie` line. This results in an assertion failure as `ret` contains an error `Status`, not a value. In the second case we also get a crash due to the assertion failure. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with a valid account on a shared TensorFlow-backed ML platform (e.g., an internal model serving API, a notebook environment, or a public ML-as-a-service endpoint) submits a specially crafted inference request containing tensor inputs that trigger a type specialization failure in TensorFlow's shape inference engine. In production builds, the DCHECK guard is compiled out, so execution silently proceeds to the ValueOrDie call on an error-state Status object, causing an assertion failure and process crash. The attacker can script this request in a loop to sustain a denial of service, forcing continuous pod restarts and degrading or eliminating service availability for legitimate users—at zero cost to the attacker beyond a valid API credential.