AI Threat Alert

CVE-2022-29202: TensorFlow: DoS via ragged tensor memory exhaustion

MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 20, 2022
CISO Take

Local vulnerability in TensorFlow's ragged tensor API allows low-privileged users to exhaust system memory and crash ML workloads. Risk is highest in multi-tenant ML platforms, shared Jupyter environments, or any setup where untrusted users can execute TensorFlow code. Patch to TF 2.6.4, 2.7.2, 2.8.1, or 2.9.0 immediately.

What is the risk?

CVSS 5.5 Medium, but contextual risk elevates significantly in shared ML environments. Attack requires only local access with low privileges—typical for data scientists, ML engineers, or notebook users on shared platforms. No authentication bypass needed; any user who can run TensorFlow code can trigger it. Not in CISA KEV and no evidence of active exploitation, keeping real-world risk moderate-to-low for isolated environments.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 23% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

1 step

  1. 1) Patch TensorFlow to versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately. 2) In multi-tenant environments, enforce strict memory limits via cgroups, ulimit, or Kubernetes resource quotas to contain blast radius. 3) Validate ragged tensor input dimensions and dtypes before passing to tf.ragged.constant in user-facing applications. 4) Monitor for abnormal memory consumption spikes in ML serving and training nodes. 5) Audit all internal tooling and ML pipeline dependencies for unpatched TensorFlow versions in your supply chain.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 AML.T0029 AML.T0034

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - AI risk assessment
NIST AI RMF
MANAGE 2.2 - Mechanisms for AI risk management
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-29202?

Local vulnerability in TensorFlow's ragged tensor API allows low-privileged users to exhaust system memory and crash ML workloads. Risk is highest in multi-tenant ML platforms, shared Jupyter environments, or any setup where untrusted users can execute TensorFlow code. Patch to TF 2.6.4, 2.7.2, 2.8.1, or 2.9.0 immediately.

Is CVE-2022-29202 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29202, increasing the risk of exploitation.

How to fix CVE-2022-29202?

1) Patch TensorFlow to versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately. 2) In multi-tenant environments, enforce strict memory limits via cgroups, ulimit, or Kubernetes resource quotas to contain blast radius. 3) Validate ragged tensor input dimensions and dtypes before passing to tf.ragged.constant in user-facing applications. 4) Monitor for abnormal memory consumption spikes in ML serving and training nodes. 5) Audit all internal tooling and ML pipeline dependencies for unpatched TensorFlow versions in your supply chain.

What systems are affected by CVE-2022-29202?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing pipelines, shared ML notebook environments, model development workstations.

What is the CVSS score for CVE-2022-29202?

CVE-2022-29202 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

training pipelinesdata preprocessing pipelinesshared ML notebook environmentsmodel development workstations

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.ragged.constant` does not fully validate the input arguments. This results in a denial of service by consuming all available memory. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An adversary with access to a shared ML platform—such as an internal JupyterHub or ML training cluster—crafts a malicious notebook that calls tf.ragged.constant with specially crafted arguments designed to allocate unbounded memory. Executed directly or by tricking a colleague into running the notebook, the Python process exhausts available RAM, causing the ML node to swap, freeze, or OOM-kill co-located training jobs. In a CI/CD ML pipeline, a malicious contributor embeds this in a data preprocessing step to repeatably sabotage model training runs with minimal technical sophistication.

Weaknesses (CWE)

CWE-1284 Improper Validation of Specified Quantity in Input Primary CWE-20 Improper Input Validation CWE-400 Uncontrolled Resource Consumption

CWE-1284 — Improper Validation of Specified Quantity in Input: The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 20, 2022
Last Modified
November 21, 2024
First Seen
May 20, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed