CVE-2022-29191 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A low-privileged local user can crash TensorFlow processes by passing malformed arguments to GetSessionTensor, triggering an unhandled CHECK failure. Risk is highest in shared ML environments — Jupyter hubs, training clusters, or multi-tenant notebooks where untrusted users have local access. Patch immediately to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4; restrict local access to ML compute as a compensating control.

Risk Assessment

Medium severity with constrained exploitability: attack is local-only (AV:L), requires only low privileges, and impact is limited to availability (no confidentiality or integrity loss). Real-world risk escalates significantly in multi-tenant ML platforms, shared research clusters, or containerized training environments where multiple users share the same TensorFlow process. Production inference APIs exposed only over network are not directly vulnerable. Not in CISA KEV; no evidence of active exploitation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 34% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — all contain the fix (commit 48305e8).
If patching is delayed: restrict local user access to ML compute nodes via OS-level controls (user namespaces, seccomp, cgroups).
In multi-tenant environments, isolate TF workloads per user via separate containers or VMs.
Detection: monitor for unexpected TF process crashes or CHECK failure messages in logs (grep for 'Check failed' in TF stderr).
Audit usage of tf.raw_ops.GetSessionTensor in your codebase — this raw op is rarely needed in TF2-native code.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system operational monitoring and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms exist to sustain value and minimize negative impacts of AI systems

OWASP LLM Top 10

LLM09 - Overreliance (mitigated via robust infrastructure)

Frequently Asked Questions

What is CVE-2022-29191?

A low-privileged local user can crash TensorFlow processes by passing malformed arguments to GetSessionTensor, triggering an unhandled CHECK failure. Risk is highest in shared ML environments — Jupyter hubs, training clusters, or multi-tenant notebooks where untrusted users have local access. Patch immediately to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4; restrict local access to ML compute as a compensating control.

Is CVE-2022-29191 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29191, increasing the risk of exploitation.

How to fix CVE-2022-29191?

1. Patch: upgrade to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — all contain the fix (commit 48305e8). 2. If patching is delayed: restrict local user access to ML compute nodes via OS-level controls (user namespaces, seccomp, cgroups). 3. In multi-tenant environments, isolate TF workloads per user via separate containers or VMs. 4. Detection: monitor for unexpected TF process crashes or CHECK failure messages in logs (grep for 'Check failed' in TF stderr). 5. Audit usage of tf.raw_ops.GetSessionTensor in your codebase — this raw op is rarely needed in TF2-native code.

What systems are affected by CVE-2022-29191?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML notebook environments.

What is the CVSS score for CVE-2022-29191?

CVE-2022-29191 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.14%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.GetSessionTensor` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An attacker with a low-privileged account on a shared GPU training server (e.g., a data scientist account on a shared Jupyter hub) imports TensorFlow and calls tf.raw_ops.GetSessionTensor with deliberately malformed or out-of-bounds input arguments. The missing input validation triggers an internal CHECK assertion failure, which TensorFlow converts to a fatal abort, crashing the entire TF process. If the victim is running a long training job in the same process or on the same shared server, the job is killed with no checkpoint recovery. In a multi-tenant notebook environment, this disrupts all users sharing that kernel or worker process.