AI Threat Alert

CVE-2022-23572: TensorFlow: DoS via shape inference assertion failure

MEDIUM PoC AVAILABLE CISA: TRACK*
Published February 4, 2022
CISO Take

A network-accessible, low-privilege attacker can crash TensorFlow model serving instances by triggering a shape inference failure in production builds—DCHECK is silently skipped, execution hits ValueOrDie with an error Status, and the process crashes. Patch to TF 2.8.0, 2.7.1, or 2.6.3 immediately on any inference endpoint exposed to untrusted users. No confidentiality or integrity risk, but availability impact is real for AI serving infrastructure.

What is the risk?

Medium operational risk. CVSS 6.5 (AV:N/AC:L/PR:L/UI:N/A:H) reflects network reachability with low-privilege access—a low bar for authenticated multi-tenant model serving platforms. The production build behavior (silent DCHECK skip → crash) is more dangerous than the debug behavior. No active exploitation or KEV listing, but the reliability of the crash path makes it a plausible availability weapon against shared inference infrastructure. Orgs running TF in production serving with user-controlled inputs are most exposed.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
1.0%
chance of exploitation in 30 days
Higher than 57% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.8.0, 2.7.1, or 2.6.3 (fixes included via cherry-pick).

  2. ISOLATE

    If patching is delayed, restrict model serving endpoints to authenticated internal users only—remove public-facing exposure.

  3. INPUT VALIDATION

    Add server-side tensor shape validation before passing inputs to TF inference; reject malformed or unexpected shape combinations.

  4. MONITOR

    Alert on abnormal TF serving process crashes or restart loops—these are the primary behavioral indicator.

  5. SANDBOXING

    Run TF inference workers as isolated processes or containers so a crash does not cascade to the broader platform.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness, and cybersecurity
ISO 42001
8.4 - AI system operation and monitoring
NIST AI RMF
GOVERN 6.1 - Policies for third-party and AI supply chain risk MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

Frequently Asked Questions

What is CVE-2022-23572?

A network-accessible, low-privilege attacker can crash TensorFlow model serving instances by triggering a shape inference failure in production builds—DCHECK is silently skipped, execution hits ValueOrDie with an error Status, and the process crashes. Patch to TF 2.8.0, 2.7.1, or 2.6.3 immediately on any inference endpoint exposed to untrusted users. No confidentiality or integrity risk, but availability impact is real for AI serving infrastructure.

Is CVE-2022-23572 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23572, increasing the risk of exploitation.

How to fix CVE-2022-23572?

1. PATCH: Upgrade to TensorFlow 2.8.0, 2.7.1, or 2.6.3 (fixes included via cherry-pick). 2. ISOLATE: If patching is delayed, restrict model serving endpoints to authenticated internal users only—remove public-facing exposure. 3. INPUT VALIDATION: Add server-side tensor shape validation before passing inputs to TF inference; reject malformed or unexpected shape combinations. 4. MONITOR: Alert on abnormal TF serving process crashes or restart loops—these are the primary behavioral indicator. 5. SANDBOXING: Run TF inference workers as isolated processes or containers so a crash does not cascade to the broader platform.

What systems are affected by CVE-2022-23572?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, MLOps platforms.

What is the CVSS score for CVE-2022-23572?

CVE-2022-23572 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.97%.

What is the AI security impact?

Affected AI Architectures

model servinginference APIstraining pipelinesMLOps platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 8.4
NIST AI RMF: GOVERN 6.1, MANAGE 2.2

What are the technical details?

Original Advisory

Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, TensorFlow can fail to specialize a type during shape inference. This case is covered by the `DCHECK` function however, `DCHECK` is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the `ValueOrDie` line. This results in an assertion failure as `ret` contains an error `Status`, not a value. In the second case we also get a crash due to the assertion failure. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with a valid account on a shared TensorFlow-backed ML platform (e.g., an internal model serving API, a notebook environment, or a public ML-as-a-service endpoint) submits a specially crafted inference request containing tensor inputs that trigger a type specialization failure in TensorFlow's shape inference engine. In production builds, the DCHECK guard is compiled out, so execution silently proceeds to the ValueOrDie call on an error-state Status object, causing an assertion failure and process crash. The attacker can script this request in a loop to sustain a denial of service, forcing continuous pod restarts and degrading or eliminating service availability for legitimate users—at zero cost to the attacker beyond a valid API credential.

Weaknesses (CWE)

CWE-617 Reachable Assertion Primary CWE-754 Improper Check for Unusual or Exceptional Conditions

CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

  • [Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
  • [Implementation] Perform input validation on user data.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
February 4, 2022
Last Modified
November 21, 2024
First Seen
February 4, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed