CVE-2022-23581 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment that loads SavedModels from untrusted or external sources is vulnerable to a process crash via crafted model files. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately if you run model-serving endpoints or automated training pipelines that ingest third-party models. Sandboxing model loading is a viable workaround if patching is delayed.

Risk Assessment

Moderate operational risk despite medium CVSS score. The low attack complexity and network accessibility make this reliably exploitable by any authenticated user who can submit a SavedModel. Impact is limited to availability (no data exposure), but model-serving downtime in production AI systems can have significant business consequences. Risk escalates for multi-tenant ML platforms where users can upload arbitrary models.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 65% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.8.0, or apply backport patches for 2.7.1, 2.6.3, or 2.5.3 (commits 1fb2773, 240655511, ebc1a2f).
RESTRICT

Enforce allowlists for SavedModel sources; reject externally-sourced models not originating from your own registry.
ISOLATE

Run model loading in sandboxed processes or containers so a crash does not take down the entire serving infrastructure.
DETECT

Monitor for abrupt TF process crashes, particularly in serving layers; alert on repeated CHECK assertion failures in logs (look for 'IsSimplifiableReshape' in stack traces).
VALIDATE

Implement pre-load model scanning as a pipeline gate before any SavedModel reaches a production optimizer.

Classification

DoS Supply Chain Framework Model Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Robustness and Availability

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for third-party AI risks MANAGE 2.2 - Responses to AI risks are documented and monitored

Frequently Asked Questions

What is CVE-2022-23581?

Any TensorFlow deployment that loads SavedModels from untrusted or external sources is vulnerable to a process crash via crafted model files. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately if you run model-serving endpoints or automated training pipelines that ingest third-party models. Sandboxing model loading is a viable workaround if patching is delayed.

Is CVE-2022-23581 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23581, increasing the risk of exploitation.

How to fix CVE-2022-23581?

1. PATCH: Upgrade to TensorFlow 2.8.0, or apply backport patches for 2.7.1, 2.6.3, or 2.5.3 (commits 1fb2773, 240655511, ebc1a2f). 2. RESTRICT: Enforce allowlists for SavedModel sources; reject externally-sourced models not originating from your own registry. 3. ISOLATE: Run model loading in sandboxed processes or containers so a crash does not take down the entire serving infrastructure. 4. DETECT: Monitor for abrupt TF process crashes, particularly in serving layers; alert on repeated CHECK assertion failures in logs (look for 'IsSimplifiableReshape' in stack traces). 5. VALIDATE: Implement pre-load model scanning as a pipeline gate before any SavedModel reaches a production optimizer.

What systems are affected by CVE-2022-23581?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML inference endpoints, model registries, CI/CD model validation pipelines.

What is the CVSS score for CVE-2022-23581?

CVE-2022-23581 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.48%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a `SavedModel` such that `IsSimplifiableReshape` would trigger `CHECK` failures. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privilege access to a model-serving platform (e.g., an ML engineer or external partner with upload rights) crafts a malicious SavedModel by manipulating the reshape operation metadata to produce an invalid graph that passes initial validation but triggers a CHECK failure inside IsSimplifiableReshape during Grappler's constant-folding pass. When the serving infrastructure loads this model, the TF process aborts immediately. In an automated CI/CD pipeline, this causes repeated build failures. Against a live serving endpoint, continuous resubmission keeps the process in a crash loop, effectively taking the inference API offline. No shellcode or exploit toolkit required—only knowledge of TF's SavedModel protobuf format.