AI Threat Alert
CVE-2022-23582: TensorFlow: SavedModel CHECK-fail causes DoS
MEDIUM PoC AVAILABLEA low-privileged remote attacker can crash TensorFlow model serving by submitting a crafted SavedModel with malformed tensor shapes, triggering a fatal assertion failure. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately. If your pipelines load SavedModels from external or shared sources, validate model integrity before loading.
What is the risk?
Medium severity overall, but operationally high for teams running TensorFlow serving endpoints accessible to external or low-trust users. Exploitability is straightforward—crafting a malformed SavedModel requires only basic TensorFlow knowledge. Impact is limited to availability (no code execution, no data exfiltration), but sustained DoS against ML inference infrastructure disrupts production AI services with no data loss risk to offset downtime.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 (fix commit c2426bba).
-
Validate SavedModels in a sandboxed process before loading into serving infrastructure.
-
Restrict SavedModel upload/submission to trusted principals only—do not allow anonymous or low-trust users to push models.
-
Monitor TF serving processes for unexpected crashes or CHECK failures in logs.
-
Implement process supervision (systemd, supervisord) to auto-restart crashed serving instances and reduce MTTR.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2022-23582?
A low-privileged remote attacker can crash TensorFlow model serving by submitting a crafted SavedModel with malformed tensor shapes, triggering a fatal assertion failure. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately. If your pipelines load SavedModels from external or shared sources, validate model integrity before loading.
Is CVE-2022-23582 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2022-23582, increasing the risk of exploitation.
How to fix CVE-2022-23582?
1. Patch: Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 (fix commit c2426bba). 2. Validate SavedModels in a sandboxed process before loading into serving infrastructure. 3. Restrict SavedModel upload/submission to trusted principals only—do not allow anonymous or low-trust users to push models. 4. Monitor TF serving processes for unexpected crashes or CHECK failures in logs. 5. Implement process supervision (systemd, supervisord) to auto-restart crashed serving instances and reduce MTTR.
What systems are affected by CVE-2022-23582?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML inference infrastructure.
What is the CVSS score for CVE-2022-23582?
CVE-2022-23582 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.77%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011.000 Unsafe AI Artifacts AML.T0029 Denial of AI Service AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a `SavedModel` such that `TensorByteSize` would trigger `CHECK` failures. `TensorShape` constructor throws a `CHECK`-fail if shape is partial or has a number of elements that would overflow the size of an `int`. The `PartialTensorShape` constructor instead does not cause a `CHECK`-abort if the shape is partial, which is exactly what this function needs to be able to return `-1`. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Exploitation Scenario
An attacker with low-privilege authenticated access—a registered API user, internal employee, or compromised account—submits a crafted SavedModel where tensor shapes are defined as partial or sized to overflow a signed int. When the TF backend calls TensorByteSize() on this model during loading, the TensorShape constructor triggers a CHECK assertion failure, aborting the process. Without automatic restart, the ML inference endpoint goes down. The attacker can loop submissions to maintain persistent DoS against the AI serving layer.
Weaknesses (CWE)
CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
- [Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
- [Implementation] Perform input validation on user data.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References
- github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/attr_value_util.cc Exploit 3rd Party
- github.com/tensorflow/tensorflow/commit/c2426bba00a01de6913738df8fa78e0215fcce02 Patch 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-4j82-5ccr-4r8v Patch 3rd Party
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow