CVE-2022-29193 — MEDIUM (CVSS 5.5) AI Security Vulnerability

Q: Is CVE-2022-29193 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29193, increasing the risk of exploitation.

Q: How to fix CVE-2022-29193?

1. PATCH: Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4. Verify with `pip show tensorflow`. 2. WORKAROUND: Audit code for direct calls to tf.raw_ops.TensorSummaryV2 and validate tensor_dtype and metadata arguments before invocation. 3. MULTI-TENANT HARDENING: Enforce namespace/pod isolation in Kubeflow/JupyterHub to prevent cross-tenant disruption. Apply resource quotas to limit blast radius. 4. DETECTION: Monitor for unexpected TensorFlow process crashes (exit code 134 / SIGABRT) in training infrastructure logs. Alert on repeated abort signals from the same user session. 5. INVENTORY: Identify all ML training pipelines using TensorFlow < 2.6.4 via SBOM or dependency scanning (pip-audit, Safety).

Q: What systems are affected by CVE-2022-29193?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, experiment tracking systems, model monitoring, multi-tenant ML platforms.

Q: What is the CVSS score for CVE-2022-29193?

CVE-2022-29193 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.05%.

CISO Take

A low-privilege local user can crash TensorFlow processes by passing invalid arguments to tf.raw_ops.TensorSummaryV2, triggering a CHECK-failure. Patch to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately — multi-tenant ML environments (shared Jupyter clusters, CI/CD training pipelines) are the primary risk surface. Impact is availability only; no data exfiltration or code execution.

Risk Assessment

Effective risk is LOW-MEDIUM despite CVSS 5.5. The local attack vector significantly limits exposure — an attacker needs an authenticated session on the host running TensorFlow. In dedicated single-user workstations the risk is negligible. In shared ML platforms (JupyterHub, Kubeflow, SageMaker Studio multi-tenant), a malicious or compromised tenant could disrupt co-located training jobs. The vulnerability requires no AI/ML expertise and is trivially exploitable once local access is obtained. Not in CISA KEV; no evidence of in-the-wild exploitation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4. Verify with pip show tensorflow.
WORKAROUND

Audit code for direct calls to tf.raw_ops.TensorSummaryV2 and validate tensor_dtype and metadata arguments before invocation.
MULTI-TENANT HARDENING: Enforce namespace/pod isolation in Kubeflow/JupyterHub to prevent cross-tenant disruption. Apply resource quotas to limit blast radius.
DETECTION

Monitor for unexpected TensorFlow process crashes (exit code 134 / SIGABRT) in training infrastructure logs. Alert on repeated abort signals from the same user session.
INVENTORY

Identify all ML training pipelines using TensorFlow < 2.6.4 via SBOM or dependency scanning (pip-audit, Safety).

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system availability and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain and maintain AI risk management MAP 2.2 - Scientific findings and AI risks are monitored

Frequently Asked Questions

What is CVE-2022-29193?

A low-privilege local user can crash TensorFlow processes by passing invalid arguments to tf.raw_ops.TensorSummaryV2, triggering a CHECK-failure. Patch to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately — multi-tenant ML environments (shared Jupyter clusters, CI/CD training pipelines) are the primary risk surface. Impact is availability only; no data exfiltration or code execution.

Is CVE-2022-29193 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29193, increasing the risk of exploitation.

How to fix CVE-2022-29193?

1. PATCH: Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4. Verify with `pip show tensorflow`. 2. WORKAROUND: Audit code for direct calls to tf.raw_ops.TensorSummaryV2 and validate tensor_dtype and metadata arguments before invocation. 3. MULTI-TENANT HARDENING: Enforce namespace/pod isolation in Kubeflow/JupyterHub to prevent cross-tenant disruption. Apply resource quotas to limit blast radius. 4. DETECTION: Monitor for unexpected TensorFlow process crashes (exit code 134 / SIGABRT) in training infrastructure logs. Alert on repeated abort signals from the same user session. 5. INVENTORY: Identify all ML training pipelines using TensorFlow < 2.6.4 via SBOM or dependency scanning (pip-audit, Safety).

What systems are affected by CVE-2022-29193?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, experiment tracking systems, model monitoring, multi-tenant ML platforms.

What is the CVSS score for CVE-2022-29193?

CVE-2022-29193 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.TensorSummaryV2` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An insider threat or compromised data-scientist account with shell access to a shared ML training cluster imports TensorFlow and calls tf.raw_ops.TensorSummaryV2 with a malformed metadata argument (e.g., an empty or mismatched dtype). TensorFlow's CHECK macro fires, raising SIGABRT and killing the process. On a Kubernetes-based ML platform without proper pod isolation, this can be repeated in a loop to continuously abort legitimate training jobs belonging to other tenants, effectively conducting a targeted denial-of-service against specific model development efforts — without any elevated privileges.