AI Threat Alert AI Threat Alert

CVE-2022-23582: TensorFlow: SavedModel CHECK-fail causes DoS

MEDIUM PoC AVAILABLE
Published February 4, 2022
CISO Take

A low-privileged remote attacker can crash TensorFlow model serving by submitting a crafted SavedModel with malformed tensor shapes, triggering a fatal assertion failure. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately. If your pipelines load SavedModels from external or shared sources, validate model integrity before loading.

Risk Assessment

Medium severity overall, but operationally high for teams running TensorFlow serving endpoints accessible to external or low-trust users. Exploitability is straightforward—crafting a malformed SavedModel requires only basic TensorFlow knowledge. Impact is limited to availability (no code execution, no data exfiltration), but sustained DoS against ML inference infrastructure disrupts production AI services with no data loss risk to offset downtime.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 44% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Patch: Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 (fix commit c2426bba).

  2. Validate SavedModels in a sandboxed process before loading into serving infrastructure.

  3. Restrict SavedModel upload/submission to trusted principals only—do not allow anonymous or low-trust users to push models.

  4. Monitor TF serving processes for unexpected crashes or CHECK failures in logs.

  5. Implement process supervision (systemd, supervisord) to auto-restart crashed serving instances and reduce MTTR.

Classification

DoS Framework Inference AML.T0011.000 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1 - AI risk management
NIST AI RMF
MANAGE 2.2 - Mechanisms for managing AI risks
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2022-23582?

A low-privileged remote attacker can crash TensorFlow model serving by submitting a crafted SavedModel with malformed tensor shapes, triggering a fatal assertion failure. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately. If your pipelines load SavedModels from external or shared sources, validate model integrity before loading.

Is CVE-2022-23582 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23582, increasing the risk of exploitation.

How to fix CVE-2022-23582?

1. Patch: Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 (fix commit c2426bba). 2. Validate SavedModels in a sandboxed process before loading into serving infrastructure. 3. Restrict SavedModel upload/submission to trusted principals only—do not allow anonymous or low-trust users to push models. 4. Monitor TF serving processes for unexpected crashes or CHECK failures in logs. 5. Implement process supervision (systemd, supervisord) to auto-restart crashed serving instances and reduce MTTR.

What systems are affected by CVE-2022-23582?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML inference infrastructure.

What is the CVSS score for CVE-2022-23582?

CVE-2022-23582 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.22%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that `TensorByteSize` would trigger `CHECK` failures. `TensorShape` constructor throws a `CHECK`-fail if shape is partial or has a number of elements that would overflow the size of an `int`. The `PartialTensorShape` constructor instead does not cause a `CHECK`-abort if the shape is partial, which is exactly what this function needs to be able to return `-1`. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege authenticated access—a registered API user, internal employee, or compromised account—submits a crafted SavedModel where tensor shapes are defined as partial or sized to overflow a signed int. When the TF backend calls TensorByteSize() on this model during loading, the TensorShape constructor triggers a CHECK assertion failure, aborting the process. Without automatic restart, the ML inference endpoint goes down. The attacker can loop submissions to maintain persistent DoS against the AI serving layer.

Weaknesses (CWE)

CWE-617

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
February 4, 2022
Last Modified
November 21, 2024
First Seen
February 4, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed