CVE-2022-23576 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

A network-accessible integer overflow in TensorFlow's Grappler cost estimator allows low-privileged attackers to crash TensorFlow workloads via crafted tensor operations. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately if running older versions. Restrict API access to TensorFlow Serving endpoints to minimize exposure surface.

Risk Assessment

Medium risk in most environments. CVSS 6.5 reflects network accessibility with low privilege requirements, but impact is limited to availability—no data exfiltration or code execution is possible. Risk increases substantially for multi-tenant AI platforms or shared inference infrastructure where untrusted users can submit custom graph operations. Not in CISA KEV and no known active exploitation as of publication.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 44% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3—all contain the upstream patch (commit b9bd6cfd).
Enforce strict authentication and authorization on all TF Serving and training API endpoints—no unauthenticated tensor submission.
Implement input validation at the API gateway layer to reject operations with pathologically large tensor dimensions.
Set resource quotas on tensor dimension sizes in multi-tenant environments.
Monitor for abnormally large graph submissions or repeated crash/restart cycles as detection signals for exploitation attempts.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system availability and resilience

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain AI system operation and performance

Frequently Asked Questions

What is CVE-2022-23576?

A network-accessible integer overflow in TensorFlow's Grappler cost estimator allows low-privileged attackers to crash TensorFlow workloads via crafted tensor operations. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately if running older versions. Restrict API access to TensorFlow Serving endpoints to minimize exposure surface.

Is CVE-2022-23576 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23576, increasing the risk of exploitation.

How to fix CVE-2022-23576?

1. Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3—all contain the upstream patch (commit b9bd6cfd). 2. Enforce strict authentication and authorization on all TF Serving and training API endpoints—no unauthenticated tensor submission. 3. Implement input validation at the API gateway layer to reject operations with pathologically large tensor dimensions. 4. Set resource quotas on tensor dimension sizes in multi-tenant environments. 5. Monitor for abnormally large graph submissions or repeated crash/restart cycles as detection signals for exploitation attempts.

What systems are affected by CVE-2022-23576?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps platforms.

What is the CVSS score for CVE-2022-23576?

CVE-2022-23576 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.22%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. The implementation of `OpLevelCostEstimator::CalculateOutputSize` is vulnerable to an integer overflow if an attacker can create an operation which would involve tensors with large enough number of elements. We can have a large enough number of dimensions in `output_shape.dim()` or just a small number of dimensions being large enough to cause an overflow in the multiplication. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege API credentials to a TensorFlow Serving endpoint or shared MLOps platform constructs a computation graph containing operations whose output tensors have very large numbers of dimensions or dimension sizes. When TensorFlow's Grappler optimizer invokes CalculateOutputSize to estimate operation costs, the multiplication of dimension values overflows a 32-bit integer, causing an abort or crash of the TF runtime. In a shared ML training cluster, this is repeatable on demand: the attacker can continuously restart crashed workers, disrupting legitimate training jobs and degrading inference SLAs for all tenants on the platform.