CVE-2022-29197 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A missing scalar validation in TensorFlow's UnsortedSegmentJoin op allows any user with local/code execution access to crash TF processes via a crafted input. The local attack vector limits blast radius, but shared ML training platforms and multi-tenant notebook environments (Jupyter, Vertex AI, SageMaker) are the primary exposure. Patch all TF deployments to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — no workaround exists.

Risk Assessment

Medium risk overall, elevated in multi-tenant ML platforms. CVSS 5.5 reflects the local-only vector, but in practice any environment where external users can submit TF graphs (shared notebooks, model serving endpoints that accept raw ops, CI/CD pipelines processing user-supplied models) becomes a DoS surface with low-skill exploitation. Not in CISA KEV and no public exploit code observed, reducing urgency for air-gapped environments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade TensorFlow to ≥2.9.0, 2.8.1 (2.8.x branch), 2.7.2 (2.7.x branch), or 2.6.4 (2.6.x branch). No configuration workaround exists.
Restrict model execution: limit which users/services can submit arbitrary TF graphs — enforce allowlisted SavedModel signatures in serving.
Isolate training workers: run TF training jobs in sandboxed containers (gVisor, Firecracker) so a crash doesn't cascade.
Monitor for CHECK-failure crashes in TF logs (tensorflow::errors::InvalidArgument) as an anomaly signal.
Inventory: audit all TF versions across training, serving, and experimentation environments — notebook servers are frequently overlooked.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity for high-risk AI

ISO 42001

A.6.2.5 - AI system operational performance and monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain trustworthy AI operation

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-29197?

A missing scalar validation in TensorFlow's UnsortedSegmentJoin op allows any user with local/code execution access to crash TF processes via a crafted input. The local attack vector limits blast radius, but shared ML training platforms and multi-tenant notebook environments (Jupyter, Vertex AI, SageMaker) are the primary exposure. Patch all TF deployments to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — no workaround exists.

Is CVE-2022-29197 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29197, increasing the risk of exploitation.

How to fix CVE-2022-29197?

1. Patch: upgrade TensorFlow to ≥2.9.0, 2.8.1 (2.8.x branch), 2.7.2 (2.7.x branch), or 2.6.4 (2.6.x branch). No configuration workaround exists. 2. Restrict model execution: limit which users/services can submit arbitrary TF graphs — enforce allowlisted SavedModel signatures in serving. 3. Isolate training workers: run TF training jobs in sandboxed containers (gVisor, Firecracker) so a crash doesn't cascade. 4. Monitor for CHECK-failure crashes in TF logs (`tensorflow::errors::InvalidArgument`) as an anomaly signal. 5. Inventory: audit all TF versions across training, serving, and experimentation environments — notebook servers are frequently overlooked.

What systems are affected by CVE-2022-29197?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared notebook environments, model evaluation pipelines, ML CI/CD infrastructure.

What is the CVSS score for CVE-2022-29197?

CVE-2022-29197 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.UnsortedSegmentJoin` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. The code assumes `num_segments` is a scalar but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An attacker with access to a shared ML notebook environment (e.g., JupyterHub, Google Colab enterprise) crafts a minimal TF script calling `tf.raw_ops.UnsortedSegmentJoin` with a multi-dimensional tensor as `num_segments` instead of a scalar. When executed, TF's CHECK macro fires, triggering an abort/crash of the TF runtime process. In a shared Jupyter environment, this terminates other users' kernels. In an automated model evaluation pipeline that imports and runs user-submitted models, an adversary submits a poisoned SavedModel embedding this op call, crashing the evaluation worker and potentially delaying or disrupting model release pipelines.