CVE-2022-23578 — MEDIUM (CVSS 4.3) AI Security Vulnerability

CISO Take

An authenticated network user can trigger memory leaks in TensorFlow's graph execution engine by submitting invalid graph nodes, eventually exhausting inference server memory and causing service disruption. Impact is strictly availability — no data exposure or code execution risk. Patch to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3; prioritize shared or multi-tenant TensorFlow serving environments where untrusted authenticated users can submit graph workloads.

Risk Assessment

Medium risk overall, but elevated in shared ML serving environments. Network-accessible with low privilege requirement and no user interaction reduces the exploitation bar significantly. Impact is limited to partial availability loss with no confidentiality or integrity implications. Not in CISA KEV and no known active exploitation, but the low complexity makes it accessible to any authenticated user — including malicious insiders or accounts compromised via credential theft.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

4.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A Low

Recommended Action

5 steps

Patch immediately: upgrade to TensorFlow 2.8.0, or apply cherrypicked fix to 2.7.1, 2.6.3, or 2.5.3 per the GitHub advisory GHSA-8r7c-3cm2-3h8f.
If patching is delayed, restrict graph submission APIs to explicitly trusted principals via network policy or API gateway ACLs.
Enforce memory limits and OOM-kill policies on TensorFlow serving containers/pods to bound blast radius.
Alert on sustained memory growth above baseline on inference servers.
Audit which services expose TensorFlow graph execution APIs to authenticated but untrusted internal users.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms for sustaining AI risk management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2022-23578?

An authenticated network user can trigger memory leaks in TensorFlow's graph execution engine by submitting invalid graph nodes, eventually exhausting inference server memory and causing service disruption. Impact is strictly availability — no data exposure or code execution risk. Patch to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3; prioritize shared or multi-tenant TensorFlow serving environments where untrusted authenticated users can submit graph workloads.

Is CVE-2022-23578 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23578, increasing the risk of exploitation.

How to fix CVE-2022-23578?

1. Patch immediately: upgrade to TensorFlow 2.8.0, or apply cherrypicked fix to 2.7.1, 2.6.3, or 2.5.3 per the GitHub advisory GHSA-8r7c-3cm2-3h8f. 2. If patching is delayed, restrict graph submission APIs to explicitly trusted principals via network policy or API gateway ACLs. 3. Enforce memory limits and OOM-kill policies on TensorFlow serving containers/pods to bound blast radius. 4. Alert on sustained memory growth above baseline on inference servers. 5. Audit which services expose TensorFlow graph execution APIs to authenticated but untrusted internal users.

What systems are affected by CVE-2022-23578?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ml frameworks.

What is the CVSS score for CVE-2022-23578?

CVE-2022-23578 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.20%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. If a graph node is invalid, TensorFlow can leak memory in the implementation of `ImmutableExecutorState::Initialize`. Here, we set `item->kernel` to `nullptr` but it is a simple `OpKernel*` pointer so the memory that was previously allocated to it would leak. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An authenticated insider or an attacker with compromised low-privilege credentials repeatedly submits crafted TensorFlow graph definitions containing intentionally invalid nodes to a TensorFlow Serving endpoint. Each request causes a kernel pointer to be nulled without freeing the prior allocation in ImmutableExecutorState::Initialize. After thousands of requests — trivially automated with a simple loop — the serving process exhausts available memory, triggering OOM conditions that crash the inference service or severely degrade throughput for all users. This is a low-and-slow DoS against AI inference infrastructure requiring no specialized ML knowledge.