AI Threat Alert AI Threat Alert

CVE-2022-29196: TensorFlow: DoS via invalid Conv3D filter input

MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 20, 2022
CISO Take

Low-priority patching item for teams running TensorFlow below 2.6.4/2.7.2/2.8.1/2.9.0. An attacker with local access can crash training jobs by passing a malformed filter_sizes argument to Conv3DBackpropFilterV2, triggering a CHECK assertion failure. Upgrade to any patched version; highest risk on multi-tenant shared GPU clusters where job isolation is weak.

Risk Assessment

Low operational risk for most environments. Exploitation requires local access with user-level privileges — no remote vector exists without a prior foothold. Impact is strictly availability (no confidentiality or integrity exposure). Primary threat actor is a malicious insider or an adversary who has already compromised a training node or shared notebook environment. Not in CISA KEV; no public evidence of active exploitation.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

4 steps

  1. Patch: Upgrade TensorFlow to ≥2.6.4, ≥2.7.2, ≥2.8.1, or ≥2.9.0 immediately if running 3D CNN workloads.

  2. Isolation: Enforce job-level sandboxing on shared ML compute clusters; restrict who can submit arbitrary training scripts.

  3. Detection: Monitor TensorFlow process logs for CHECK-failure stack traces in conv_grad_ops_3d.cc as an anomaly indicator.

  4. Interim workaround if patching is delayed: validate that filter_sizes is a 1D tensor before calling the op in any custom training code.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0029 AML.T0034 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI
ISO 42001
A.9.7 - AI system robustness and reliability
NIST AI RMF
MANAGE 2.2 - Resilience and reliability of AI systems
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-29196?

Low-priority patching item for teams running TensorFlow below 2.6.4/2.7.2/2.8.1/2.9.0. An attacker with local access can crash training jobs by passing a malformed filter_sizes argument to Conv3DBackpropFilterV2, triggering a CHECK assertion failure. Upgrade to any patched version; highest risk on multi-tenant shared GPU clusters where job isolation is weak.

Is CVE-2022-29196 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29196, increasing the risk of exploitation.

How to fix CVE-2022-29196?

1. Patch: Upgrade TensorFlow to ≥2.6.4, ≥2.7.2, ≥2.8.1, or ≥2.9.0 immediately if running 3D CNN workloads. 2. Isolation: Enforce job-level sandboxing on shared ML compute clusters; restrict who can submit arbitrary training scripts. 3. Detection: Monitor TensorFlow process logs for CHECK-failure stack traces in conv_grad_ops_3d.cc as an anomaly indicator. 4. Interim workaround if patching is delayed: validate that filter_sizes is a 1D tensor before calling the op in any custom training code.

What systems are affected by CVE-2022-29196?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps infrastructure, shared GPU compute clusters.

What is the CVSS score for CVE-2022-29196?

CVE-2022-29196 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.Conv3DBackpropFilterV2` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. The code does not validate that the `filter_sizes` argument is a vector. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An attacker with access to a shared ML training platform — internal GPU cluster, cloud notebook (Vertex AI, SageMaker), or CI/CD pipeline running model training — submits a script calling tf.raw_ops.Conv3DBackpropFilterV2 with filter_sizes passed as a 2D tensor instead of a vector. TensorFlow's CHECK macro fires, immediately killing the training process with a SIGABRT. On a shared cluster, this crashes co-located jobs and can be looped to continuously deny training capacity, delaying model delivery or erasing unsaved checkpoints from production model retraining pipelines.

Weaknesses (CWE)

CWE-1284 Primary CWE-20

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 20, 2022
Last Modified
November 21, 2024
First Seen
May 20, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed