CVE-2022-29192 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with low privileges can crash TensorFlow processes by passing malformed arguments to the QuantizeAndDequantizeV4Grad op, triggering a CHECK-failure assertion. Patch immediately to TF 2.6.4, 2.7.2, 2.8.1, or 2.9.0+ if your ML infrastructure runs on affected versions. Risk is limited to availability — no data exfiltration or code execution vector exists here.

Risk Assessment

Medium severity with limited real-world blast radius. The local attack vector (AV:L) is the key constraint — an adversary needs an existing foothold on the machine running TensorFlow. In shared ML compute environments (JupyterHub clusters, multi-tenant GPU nodes, CI/CD runners), this becomes more concerning since a low-privileged user could disrupt training jobs or crash inference services. CVSS 5.5 is accurate; exploitability is straightforward once local access exists, but gaining that access is the hard part.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade TensorFlow to 2.6.4, 2.7.2, 2.8.1, or 2.9.0+. Verify via pip show tensorflow.
Isolation: Restrict local access to ML compute nodes — minimize shared JupyterHub instances and enforce per-user containerization.
Input validation: If accepting external model inference requests, validate and sanitize gradient operation inputs at the API boundary before passing to TF ops.
Detection: Monitor for abnormal TensorFlow process crashes (CHECK-failure logs contain 'Check failed:'); correlate with unexpected local logins or CI job failures.
Workaround: If patching is not immediately possible, disable or restrict access to raw TF op endpoints.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043.003 - Manual Modification

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system processes

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM09 - Overreliance

Frequently Asked Questions

What is CVE-2022-29192?

A local attacker with low privileges can crash TensorFlow processes by passing malformed arguments to the QuantizeAndDequantizeV4Grad op, triggering a CHECK-failure assertion. Patch immediately to TF 2.6.4, 2.7.2, 2.8.1, or 2.9.0+ if your ML infrastructure runs on affected versions. Risk is limited to availability — no data exfiltration or code execution vector exists here.

Is CVE-2022-29192 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29192, increasing the risk of exploitation.

How to fix CVE-2022-29192?

1. Patch: Upgrade TensorFlow to 2.6.4, 2.7.2, 2.8.1, or 2.9.0+. Verify via `pip show tensorflow`. 2. Isolation: Restrict local access to ML compute nodes — minimize shared JupyterHub instances and enforce per-user containerization. 3. Input validation: If accepting external model inference requests, validate and sanitize gradient operation inputs at the API boundary before passing to TF ops. 4. Detection: Monitor for abnormal TensorFlow process crashes (CHECK-failure logs contain 'Check failed:'); correlate with unexpected local logins or CI job failures. 5. Workaround: If patching is not immediately possible, disable or restrict access to raw TF op endpoints.

What systems are affected by CVE-2022-29192?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model compression workflows, MLOps platforms.

What is the CVSS score for CVE-2022-29192?

CVE-2022-29192 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.QuantizeAndDequantizeV4Grad` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An insider threat or attacker who has compromised a data scientist's account on a shared ML cluster deliberately calls `tf.raw_ops.QuantizeAndDequantizeV4Grad` with crafted tensor arguments that fail internal validation checks. The resulting CHECK-failure crashes the TensorFlow process, killing ongoing training jobs and potentially corrupting checkpoints. In a multi-tenant Kubernetes environment with a shared TF serving deployment, the same input sent to a quantized model's inference endpoint terminates the serving pod, causing a denial of service affecting all downstream applications consuming that model.