CVE-2022-29200: TensorFlow LSTMBlockCell DoS

CISO Take

TensorFlow's LSTMBlockCell op crashes on malformed tensor inputs due to missing rank validation, enabling denial of service. Exploitability requires local access with low privileges — highest risk in shared ML platforms, multi-tenant Jupyter environments, or MLaaS APIs that expose raw TF ops. Patch immediately to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4.

What is the risk?

Medium risk overall, but elevated in multi-tenant or shared ML infrastructure. The local attack vector and low-privilege requirement constrain exploitation to internal threats or compromised accounts. In isolated single-user training environments the practical risk is low. In shared GPU clusters, ML platforms, or inference APIs that accept user-supplied models/ops, a single malicious call can crash the TF process and disrupt co-located workloads. No active exploitation or weaponized PoC beyond the GitHub advisory.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 23% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — this is the only fix.
In shared environments, restrict access to tf.raw_ops APIs and block direct raw op invocations from untrusted users.
Apply input shape/rank validation at the application layer before passing tensors to LSTMBlockCell.
Monitor TF process logs for CHECK-failure patterns (grep 'Check failed' in TF stderr) as anomaly signals.
Audit dependency inventory for pinned TF versions below the patched releases in CI/CD pipelines and containerized training jobs.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system robustness

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain treatment of identified AI risks MEASURE 2.5 - AI system to be deployed undergoes robust testing

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure / Improper Output Handling

Frequently Asked Questions

What is CVE-2022-29200?

TensorFlow's LSTMBlockCell op crashes on malformed tensor inputs due to missing rank validation, enabling denial of service. Exploitability requires local access with low privileges — highest risk in shared ML platforms, multi-tenant Jupyter environments, or MLaaS APIs that expose raw TF ops. Patch immediately to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4.

Is CVE-2022-29200 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29200, increasing the risk of exploitation.

How to fix CVE-2022-29200?

1. Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — this is the only fix. 2. In shared environments, restrict access to tf.raw_ops APIs and block direct raw op invocations from untrusted users. 3. Apply input shape/rank validation at the application layer before passing tensors to LSTMBlockCell. 4. Monitor TF process logs for CHECK-failure patterns (grep 'Check failed' in TF stderr) as anomaly signals. 5. Audit dependency inventory for pinned TF versions below the patched releases in CI/CD pipelines and containerized training jobs.

What systems are affected by CVE-2022-29200?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML notebooks, recurrent neural network inference.

What is the CVSS score for CVE-2022-29200?

CVE-2022-29200 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingshared ML notebooksrecurrent neural network inference

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2, MEASURE 2.5

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.LSTMBlockCell` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. The code does not validate the ranks of any of the arguments to this API call. This results in `CHECK`-failures when the elements of the tensor are accessed. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An attacker with access to a shared ML platform (e.g., a data scientist account on a multi-tenant Jupyter hub or internal MLOps portal) submits a training job or notebook cell that calls tf.raw_ops.LSTMBlockCell with a tensor of incorrect rank — for example, passing a 1D tensor where a 2D matrix is expected. TensorFlow's CHECK macro fires during tensor element access, raising a CHECK-failure exception that terminates the TF runtime process. If the platform runs jobs in a shared TF serving process, this crashes the inference server for all users. In a Kubernetes-based ML platform, repeated submissions can trigger cascading pod restarts, degrading cluster availability and disrupting legitimate model training workloads.

Weaknesses (CWE)

CWE-1284 Improper Validation of Specified Quantity in Input Primary CWE-20 Improper Input Validation

CWE-1284 — Improper Validation of Specified Quantity in Input: The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis

Source: MITRE CWE corpus.