CVE-2022-23584: TensorFlow use-after-free

CISO Take

Any TensorFlow deployment on 2.5.x–2.7.x that processes PNG images—inference APIs, training pipelines, or preprocessing services—can be crashed by a malicious image sent over the network with only low privileges. No confidentiality impact, but availability loss in production ML services is operationally significant. Patch to TF 2.8.0 (or the applicable backport) now; if patching is delayed, add upstream input validation to reject malformed images before they reach the TF decode layer.

What is the risk?

Medium severity with tangible operational risk for ML serving infrastructure. CVSS 6.5 reflects DoS-only impact, but the low attack complexity and network exploitability make it straightforward to trigger reliably. In production inference environments where TensorFlow processes user-supplied images, an attacker with API-level access can induce repeated crashes and sustained outages. Use-after-free bugs carry theoretical RCE potential, but no confirmed exploit chain for code execution has been published for this specific issue.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 49% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: Upgrade to TensorFlow 2.8.0 or apply the backport to 2.7.1, 2.6.3, or 2.5.3.
Input validation: Validate image format, dimensions, and file header at the API boundary before passing to TF decode ops—reject anomalous PNGs upstream.
Process isolation: Run TF inference workers in separate processes or containers so a crash does not cascade to the full service.
Least privilege: Require authentication on all inference API endpoints to prevent unauthenticated exploitation.
Detection: Alert on unexpected TF process restarts, SIGSEGV signals, or OOMKilled events in serving infrastructure; repeated crashes against the same endpoint are a strong indicator.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Code Execution Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043.003 - Manual Modification AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.10.1 - Information security in AI system development

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-23584?

Any TensorFlow deployment on 2.5.x–2.7.x that processes PNG images—inference APIs, training pipelines, or preprocessing services—can be crashed by a malicious image sent over the network with only low privileges. No confidentiality impact, but availability loss in production ML services is operationally significant. Patch to TF 2.8.0 (or the applicable backport) now; if patching is delayed, add upstream input validation to reject malformed images before they reach the TF decode layer.

Is CVE-2022-23584 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23584, increasing the risk of exploitation.

How to fix CVE-2022-23584?

1. Patch: Upgrade to TensorFlow 2.8.0 or apply the backport to 2.7.1, 2.6.3, or 2.5.3. 2. Input validation: Validate image format, dimensions, and file header at the API boundary before passing to TF decode ops—reject anomalous PNGs upstream. 3. Process isolation: Run TF inference workers in separate processes or containers so a crash does not cascade to the full service. 4. Least privilege: Require authentication on all inference API endpoints to prevent unauthenticated exploitation. 5. Detection: Alert on unexpected TF process restarts, SIGSEGV signals, or OOMKilled events in serving infrastructure; repeated crashes against the same endpoint are a strong indicator.

What systems are affected by CVE-2022-23584?

This vulnerability affects the following AI/ML architecture patterns: ML inference services, training pipelines, data preprocessing pipelines, model serving, notebook environments.

What is the CVSS score for CVE-2022-23584?

CVE-2022-23584 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.71%.

What is the AI security impact?

Affected AI Architectures

ML inference servicestraining pipelinesdata preprocessing pipelinesmodel servingnotebook environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0043.003 Manual Modification

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.10.1

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a use after free behavior when decoding PNG images. After `png::CommonFreeDecode(&decode)` gets called, the values of `decode.width` and `decode.height` are in an unspecified state. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privilege access to an image classification inference API (e.g., a registered user of an ML SaaS built on TensorFlow) crafts a malicious PNG that triggers the use-after-free in `tensorflow/core/kernels/image/decode_image_op.cc`. When TensorFlow calls `png::CommonFreeDecode(&decode)` and the decode struct is freed, the adversary's payload causes the process to access stale `decode.width`/`decode.height` memory. The TF serving process crashes. In a multi-tenant environment this disrupts availability for all users simultaneously. If the service auto-restarts without alerting, the adversary can send repeated requests to maintain a sustained outage with minimal effort.

Weaknesses (CWE)

CWE-416 Use After Free

CWE-416 — Use After Free: The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

[Architecture and Design] Choose a language that provides automatic memory management.
[Implementation] When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

Source: MITRE CWE corpus.