CVE-2022-29199 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with low privileges can crash TensorFlow processes by passing malformed input to LoadAndRemapMatrix, enabling denial of service against training jobs and inference pipelines. Patch to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately—especially in shared compute environments (Jupyter, ML platforms, cloud notebooks) where untrusted users have TF access. No confidentiality or integrity risk; impact is limited to availability.

Risk Assessment

Medium risk overall, elevated in multi-tenant ML environments. CVSS 5.5 with local, low-privilege access limits widespread exploitation, but shared Jupyter servers, ML platforms, and cloud notebook environments routinely provide that access to potentially untrusted users. No active exploitation observed and not listed in CISA KEV. Primary concern is disruption of training jobs or inference services in environments without strict process isolation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.9.0, 2.8.1, 2.7.2, or 2.6.4.
Pre-patch workaround: Validate that initializing_values is explicitly a 1-D vector before passing to LoadAndRemapMatrix in any user-influenced code path.
Access control: Restrict tf.raw_ops access in multi-tenant environments; consider sandboxing notebook environments with process isolation per user.
Monitoring: Alert on unexpected TF process crashes in production inference or training infrastructure.
Code review: Audit codebases that call tf.raw_ops.LoadAndRemapMatrix with user-controlled or externally-sourced tensor inputs.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system operation

NIST AI RMF

MANAGE-2.4 - Residual risks and vulnerabilities

Frequently Asked Questions

What is CVE-2022-29199?

A local attacker with low privileges can crash TensorFlow processes by passing malformed input to LoadAndRemapMatrix, enabling denial of service against training jobs and inference pipelines. Patch to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately—especially in shared compute environments (Jupyter, ML platforms, cloud notebooks) where untrusted users have TF access. No confidentiality or integrity risk; impact is limited to availability.

Is CVE-2022-29199 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29199, increasing the risk of exploitation.

How to fix CVE-2022-29199?

1. Patch: Upgrade to TensorFlow 2.9.0, 2.8.1, 2.7.2, or 2.6.4. 2. Pre-patch workaround: Validate that initializing_values is explicitly a 1-D vector before passing to LoadAndRemapMatrix in any user-influenced code path. 3. Access control: Restrict tf.raw_ops access in multi-tenant environments; consider sandboxing notebook environments with process isolation per user. 4. Monitoring: Alert on unexpected TF process crashes in production inference or training infrastructure. 5. Code review: Audit codebases that call tf.raw_ops.LoadAndRemapMatrix with user-controlled or externally-sourced tensor inputs.

What systems are affected by CVE-2022-29199?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML notebooks and shared compute.

What is the CVSS score for CVE-2022-29199?

CVE-2022-29199 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.LoadAndRemapMatrix does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. The code assumes `initializing_values` is a vector but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An attacker with access to a shared ML platform (e.g., JupyterHub, cloud notebook instance, or on-prem ML workstation) submits a script that calls tf.raw_ops.LoadAndRemapMatrix with initializing_values set as a 2-D tensor instead of the expected vector. This triggers a CHECK-failure in the TensorFlow kernel, crashing the TF runtime process. In a shared environment this kills co-located notebook kernels or disrupts a shared TF Serving instance, causing denial of service for all concurrent users and terminating any in-progress model training jobs.