CVE-2022-29200 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

TensorFlow's LSTMBlockCell op crashes on malformed tensor inputs due to missing rank validation, enabling denial of service. Exploitability requires local access with low privileges — highest risk in shared ML platforms, multi-tenant Jupyter environments, or MLaaS APIs that expose raw TF ops. Patch immediately to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4.

Risk Assessment

Medium risk overall, but elevated in multi-tenant or shared ML infrastructure. The local attack vector and low-privilege requirement constrain exploitation to internal threats or compromised accounts. In isolated single-user training environments the practical risk is low. In shared GPU clusters, ML platforms, or inference APIs that accept user-supplied models/ops, a single malicious call can crash the TF process and disrupt co-located workloads. No active exploitation or weaponized PoC beyond the GitHub advisory.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — this is the only fix.
In shared environments, restrict access to tf.raw_ops APIs and block direct raw op invocations from untrusted users.
Apply input shape/rank validation at the application layer before passing tensors to LSTMBlockCell.
Monitor TF process logs for CHECK-failure patterns (grep 'Check failed' in TF stderr) as anomaly signals.
Audit dependency inventory for pinned TF versions below the patched releases in CI/CD pipelines and containerized training jobs.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system robustness

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain treatment of identified AI risks MEASURE 2.5 - AI system to be deployed undergoes robust testing

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure / Improper Output Handling

Frequently Asked Questions

What is CVE-2022-29200?

TensorFlow's LSTMBlockCell op crashes on malformed tensor inputs due to missing rank validation, enabling denial of service. Exploitability requires local access with low privileges — highest risk in shared ML platforms, multi-tenant Jupyter environments, or MLaaS APIs that expose raw TF ops. Patch immediately to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4.

Is CVE-2022-29200 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29200, increasing the risk of exploitation.

How to fix CVE-2022-29200?

1. Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — this is the only fix. 2. In shared environments, restrict access to tf.raw_ops APIs and block direct raw op invocations from untrusted users. 3. Apply input shape/rank validation at the application layer before passing tensors to LSTMBlockCell. 4. Monitor TF process logs for CHECK-failure patterns (grep 'Check failed' in TF stderr) as anomaly signals. 5. Audit dependency inventory for pinned TF versions below the patched releases in CI/CD pipelines and containerized training jobs.

What systems are affected by CVE-2022-29200?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML notebooks, recurrent neural network inference.

What is the CVSS score for CVE-2022-29200?

CVE-2022-29200 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.LSTMBlockCell` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. The code does not validate the ranks of any of the arguments to this API call. This results in `CHECK`-failures when the elements of the tensor are accessed. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An attacker with access to a shared ML platform (e.g., a data scientist account on a multi-tenant Jupyter hub or internal MLOps portal) submits a training job or notebook cell that calls tf.raw_ops.LSTMBlockCell with a tensor of incorrect rank — for example, passing a 1D tensor where a 2D matrix is expected. TensorFlow's CHECK macro fires during tensor element access, raising a CHECK-failure exception that terminates the TF runtime process. If the platform runs jobs in a shared TF serving process, this crashes the inference server for all users. In a Kubernetes-based ML platform, repeated submissions can trigger cascading pod restarts, degrading cluster availability and disrupting legitimate model training workloads.