AI Threat Alert

CVE-2022-23575: TensorFlow: integer overflow in cost estimator → DoS

MEDIUM PoC AVAILABLE
Published February 4, 2022
CISO Take

TensorFlow's graph optimizer (Grappler) is vulnerable to a DoS via integer overflow when processing crafted tensor operations with excessively large element counts. Any TF serving endpoint accepting user-submitted models or operations is at risk of crash-looping. Patch to TF 2.8.0 / 2.7.1 / 2.6.3 / 2.5.3 immediately; in the interim, restrict who can submit operations to your TF infrastructure.

What is the risk?

Medium operational risk. CVSS 6.5 reflects network-accessible, low-complexity exploitation requiring only low-privilege access — no user interaction needed. The blast radius is limited to availability (A:H); no confidentiality or integrity impact. Risk escalates significantly in multi-tenant or API-exposed TF environments (e.g., TF Serving, Vertex AI custom containers) where uptime SLAs exist or where crashing the optimizer would abort training runs. Not in CISA KEV and not observed in active exploitation.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 51% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 (all contain the fix from commit fcd18ce).

  2. ISOLATE

    Restrict API access to TF Serving endpoints to authenticated, trusted clients only — enforce network segmentation if serving is internal.

  3. VALIDATE INPUT

    Add pre-submission checks on tensor shapes/sizes before graph optimization (reject ops with element counts approaching INT_MAX).

  4. MONITOR

    Alert on TF Serving process crashes or unexpected restarts, which may indicate exploit attempts.

  5. CONTAINER RESTART POLICY

    Ensure crash-restart policies are in place to limit DoS impact duration.

How is it classified?

DoS Framework Inference AML.T0029 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.4 - Information security for AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain effectiveness of risk response
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-23575?

TensorFlow's graph optimizer (Grappler) is vulnerable to a DoS via integer overflow when processing crafted tensor operations with excessively large element counts. Any TF serving endpoint accepting user-submitted models or operations is at risk of crash-looping. Patch to TF 2.8.0 / 2.7.1 / 2.6.3 / 2.5.3 immediately; in the interim, restrict who can submit operations to your TF infrastructure.

Is CVE-2022-23575 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23575, increasing the risk of exploitation.

How to fix CVE-2022-23575?

1. PATCH: Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 (all contain the fix from commit fcd18ce). 2. ISOLATE: Restrict API access to TF Serving endpoints to authenticated, trusted clients only — enforce network segmentation if serving is internal. 3. VALIDATE INPUT: Add pre-submission checks on tensor shapes/sizes before graph optimization (reject ops with element counts approaching INT_MAX). 4. MONITOR: Alert on TF Serving process crashes or unexpected restarts, which may indicate exploit attempts. 5. CONTAINER RESTART POLICY: Ensure crash-restart policies are in place to limit DoS impact duration.

What systems are affected by CVE-2022-23575?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML platform APIs.

What is the CVSS score for CVE-2022-23575?

CVE-2022-23575 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.77%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesML platform APIs

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Tensorflow is an Open Source Machine Learning Framework. The implementation of `OpLevelCostEstimator::CalculateTensorSize` is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege API access to a TensorFlow Serving endpoint (e.g., a shared ML platform or internal inference API) crafts a SavedModel or operation request containing a tensor descriptor with a maliciously large shape — e.g., a single dimension set close to INT32_MAX. When TF's Grappler optimizer calls CalculateTensorSize on this operation during cost estimation, the product of dimensions overflows, producing an incorrect (small) tensor size. Depending on how the result is used, this can trigger a crash or undefined behavior that terminates the serving process. In an autoscaling environment, this can be repeated to exhaust restart budgets, causing sustained DoS.

Weaknesses (CWE)

CWE-190 Integer Overflow or Wraparound

CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

  • [Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
February 4, 2022
Last Modified
November 21, 2024
First Seen
February 4, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed