CVE-2022-23585 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Authenticated users can crash TensorFlow image processing services by submitting malformed PNG files, exhausting memory without cleanup. If you expose TensorFlow-based image inference endpoints—CV models, image classifiers, multimodal pipelines—to any authenticated user or internal service, patch immediately to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3. No workaround exists short of input validation that rejects malformed PNGs before they reach the decoder.

Risk Assessment

Medium severity in isolation, but operationally significant for production ML serving. Low attack complexity and only low privileges required means any authenticated API user—or a compromised internal service account—can trigger it repeatedly to degrade or crash an inference node. The absence of CISA KEV listing and no active exploitation evidence keeps this out of critical tier, but unpatched TF deployments processing untrusted image inputs face real DoS risk in multi-tenant or externally-accessible environments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 71% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 — the fix is cherry-picked across all supported branches.
VALIDATE INPUTS

Implement upstream PNG validation (e.g., Pillow's verify() or libpng header checks) before passing images to TensorFlow decoders.
RESOURCE LIMITS

Apply memory limits and OOM kill policies to TF Serving containers/pods so a leak crash is bounded and auto-restarts.
RATE LIMIT

Throttle authenticated image submission endpoints to slow exhaustion attacks.
MONITOR

Alert on abnormal memory growth in TF serving processes — this leak is detectable via standard container memory metrics.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system robustness and availability

NIST AI RMF

MEASURE 2.5 - AI system resilience and robustness testing

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-23585?

Authenticated users can crash TensorFlow image processing services by submitting malformed PNG files, exhausting memory without cleanup. If you expose TensorFlow-based image inference endpoints—CV models, image classifiers, multimodal pipelines—to any authenticated user or internal service, patch immediately to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3. No workaround exists short of input validation that rejects malformed PNGs before they reach the decoder.

Is CVE-2022-23585 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23585, increasing the risk of exploitation.

How to fix CVE-2022-23585?

1. PATCH: Upgrade to TensorFlow 2.8.0, 2.7.1, 2.6.3, or 2.5.3 — the fix is cherry-picked across all supported branches. 2. VALIDATE INPUTS: Implement upstream PNG validation (e.g., Pillow's verify() or libpng header checks) before passing images to TensorFlow decoders. 3. RESOURCE LIMITS: Apply memory limits and OOM kill policies to TF Serving containers/pods so a leak crash is bounded and auto-restarts. 4. RATE LIMIT: Throttle authenticated image submission endpoints to slow exhaustion attacks. 5. MONITOR: Alert on abnormal memory growth in TF serving processes — this leak is detectable via standard container memory metrics.

What systems are affected by CVE-2022-23585?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, image processing pipelines.

What is the CVSS score for CVE-2022-23585?

CVE-2022-23585 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.66%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. When decoding PNG images TensorFlow can produce a memory leak if the image is invalid. After calling `png::CommonInitDecode(..., &decode)`, the `decode` value contains allocated buffers which can only be freed by calling `png::CommonFreeDecode(&decode)`. However, several error case in the function implementation invoke the `OP_REQUIRES` macro which immediately terminates the execution of the function, without allowing for the memory free to occur. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privilege API access to a computer vision inference service (e.g., an image classification endpoint used for product moderation or medical imaging) crafts a batch of syntactically invalid PNG files — malformed IHDR chunks or truncated image data that passes basic size checks but fails internal TensorFlow decode validation. They submit these in rapid succession via the API. Each request triggers the memory leak in `decode_image_op.cc` without cleanup. Over minutes to hours, the TF Serving instance exhausts available memory, causing OOM crashes. In a Kubernetes environment without proper restart limits, this creates a degradation-of-service loop. In training pipeline context, an adversary with write access to a shared training dataset store poisons it with invalid PNGs, causing training jobs to crash and forcing costly re-runs.