CVE-2022-23584 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment on 2.5.x–2.7.x that processes PNG images—inference APIs, training pipelines, or preprocessing services—can be crashed by a malicious image sent over the network with only low privileges. No confidentiality impact, but availability loss in production ML services is operationally significant. Patch to TF 2.8.0 (or the applicable backport) now; if patching is delayed, add upstream input validation to reject malformed images before they reach the TF decode layer.

Risk Assessment

Medium severity with tangible operational risk for ML serving infrastructure. CVSS 6.5 reflects DoS-only impact, but the low attack complexity and network exploitability make it straightforward to trigger reliably. In production inference environments where TensorFlow processes user-supplied images, an attacker with API-level access can induce repeated crashes and sustained outages. Use-after-free bugs carry theoretical RCE potential, but no confirmed exploit chain for code execution has been published for this specific issue.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 48% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.8.0 or apply the backport to 2.7.1, 2.6.3, or 2.5.3.
Input validation: Validate image format, dimensions, and file header at the API boundary before passing to TF decode ops—reject anomalous PNGs upstream.
Process isolation: Run TF inference workers in separate processes or containers so a crash does not cascade to the full service.
Least privilege: Require authentication on all inference API endpoints to prevent unauthenticated exploitation.
Detection: Alert on unexpected TF process restarts, SIGSEGV signals, or OOMKilled events in serving infrastructure; repeated crashes against the same endpoint are a strong indicator.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Code Execution Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043.003 - Manual Modification AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.10.1 - Information security in AI system development

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-23584?

Any TensorFlow deployment on 2.5.x–2.7.x that processes PNG images—inference APIs, training pipelines, or preprocessing services—can be crashed by a malicious image sent over the network with only low privileges. No confidentiality impact, but availability loss in production ML services is operationally significant. Patch to TF 2.8.0 (or the applicable backport) now; if patching is delayed, add upstream input validation to reject malformed images before they reach the TF decode layer.

Is CVE-2022-23584 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23584, increasing the risk of exploitation.

How to fix CVE-2022-23584?

1. Patch: Upgrade to TensorFlow 2.8.0 or apply the backport to 2.7.1, 2.6.3, or 2.5.3. 2. Input validation: Validate image format, dimensions, and file header at the API boundary before passing to TF decode ops—reject anomalous PNGs upstream. 3. Process isolation: Run TF inference workers in separate processes or containers so a crash does not cascade to the full service. 4. Least privilege: Require authentication on all inference API endpoints to prevent unauthenticated exploitation. 5. Detection: Alert on unexpected TF process restarts, SIGSEGV signals, or OOMKilled events in serving infrastructure; repeated crashes against the same endpoint are a strong indicator.

What systems are affected by CVE-2022-23584?

This vulnerability affects the following AI/ML architecture patterns: ML inference services, training pipelines, data preprocessing pipelines, model serving, notebook environments.

What is the CVSS score for CVE-2022-23584?

CVE-2022-23584 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.25%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a use after free behavior when decoding PNG images. After `png::CommonFreeDecode(&decode)` gets called, the values of `decode.width` and `decode.height` are in an unspecified state. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privilege access to an image classification inference API (e.g., a registered user of an ML SaaS built on TensorFlow) crafts a malicious PNG that triggers the use-after-free in `tensorflow/core/kernels/image/decode_image_op.cc`. When TensorFlow calls `png::CommonFreeDecode(&decode)` and the decode struct is freed, the adversary's payload causes the process to access stale `decode.width`/`decode.height` memory. The TF serving process crashes. In a multi-tenant environment this disrupts availability for all users simultaneously. If the service auto-restarts without alerting, the adversary can send repeated requests to maintain a sustained outage with minimal effort.