AI Threat Alert AI Threat Alert

CVE-2022-29194: TensorFlow: DoS via malformed DeleteSessionTensor input

MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 20, 2022
CISO Take

Low-privilege local attacker can crash TensorFlow processes by passing invalid arguments to DeleteSessionTensor, causing a CHECK-failure. In shared ML environments (JupyterHub, multi-tenant GPU clusters), this becomes a lateral disruption vector. Patch immediately to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4.

Risk Assessment

Medium severity (CVSS 5.5) with local attack vector and low privilege requirement. Standalone risk is limited by the requirement for local access. Risk escalates significantly in shared ML infrastructure — data scientists and ML engineers routinely share compute nodes, making local privilege trivially obtained. No confidentiality or integrity impact. Not in CISA KEV and no reported active exploitation as of patch release.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 25% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately — patches are available.

  2. If patching is not immediately possible, restrict access to raw TF ops interfaces and audit who has local execution rights on ML compute nodes.

  3. Implement process isolation between tenants in shared ML environments (containerization per user/job).

  4. Monitor for unexpected TensorFlow process crashes or CHECK-failure stack traces in system logs as a detection signal.

  5. Audit JupyterHub and ML platform configurations to enforce user namespacing.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - AI system robustness A.9.7 - Availability of AI systems
NIST AI RMF
GOVERN 6.1 - AI risk and impacts are tracked MANAGE 2.2 - Mechanisms to sustain AI risk management

Frequently Asked Questions

What is CVE-2022-29194?

Low-privilege local attacker can crash TensorFlow processes by passing invalid arguments to DeleteSessionTensor, causing a CHECK-failure. In shared ML environments (JupyterHub, multi-tenant GPU clusters), this becomes a lateral disruption vector. Patch immediately to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4.

Is CVE-2022-29194 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29194, increasing the risk of exploitation.

How to fix CVE-2022-29194?

1. Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately — patches are available. 2. If patching is not immediately possible, restrict access to raw TF ops interfaces and audit who has local execution rights on ML compute nodes. 3. Implement process isolation between tenants in shared ML environments (containerization per user/job). 4. Monitor for unexpected TensorFlow process crashes or CHECK-failure stack traces in system logs as a detection signal. 5. Audit JupyterHub and ML platform configurations to enforce user namespacing.

What systems are affected by CVE-2022-29194?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML development environments, multi-tenant compute clusters.

What is the CVSS score for CVE-2022-29194?

CVE-2022-29194 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.DeleteSessionTensor` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An adversary with a low-privilege account on a shared ML training server identifies that TensorFlow is running session-based workloads. They invoke tf.raw_ops.DeleteSessionTensor with a crafted invalid argument — no special ML knowledge required, the exploit is trivial once the CVE details are known. The resulting CHECK-failure crashes the TensorFlow process, terminating any co-located training jobs and disrupting model serving. In a JupyterHub environment, a malicious tenant repeats this against another user's session, causing recurring availability disruptions without detection if crash logs are not monitored.

Weaknesses (CWE)

CWE-20

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 20, 2022
Last Modified
November 21, 2024
First Seen
May 20, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed