AI Threat Alert AI Threat Alert

CVE-2022-29202: TensorFlow: DoS via ragged tensor memory exhaustion

MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 20, 2022
CISO Take

Local vulnerability in TensorFlow's ragged tensor API allows low-privileged users to exhaust system memory and crash ML workloads. Risk is highest in multi-tenant ML platforms, shared Jupyter environments, or any setup where untrusted users can execute TensorFlow code. Patch to TF 2.6.4, 2.7.2, 2.8.1, or 2.9.0 immediately.

Risk Assessment

CVSS 5.5 Medium, but contextual risk elevates significantly in shared ML environments. Attack requires only local access with low privileges—typical for data scientists, ML engineers, or notebook users on shared platforms. No authentication bypass needed; any user who can run TensorFlow code can trigger it. Not in CISA KEV and no evidence of active exploitation, keeping real-world risk moderate-to-low for isolated environments.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 20% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

1 step

  1. 1) Patch TensorFlow to versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately. 2) In multi-tenant environments, enforce strict memory limits via cgroups, ulimit, or Kubernetes resource quotas to contain blast radius. 3) Validate ragged tensor input dimensions and dtypes before passing to tf.ragged.constant in user-facing applications. 4) Monitor for abnormal memory consumption spikes in ML serving and training nodes. 5) Audit all internal tooling and ML pipeline dependencies for unpatched TensorFlow versions in your supply chain.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 AML.T0029 AML.T0034

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - AI risk assessment
NIST AI RMF
MANAGE 2.2 - Mechanisms for AI risk management
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-29202?

Local vulnerability in TensorFlow's ragged tensor API allows low-privileged users to exhaust system memory and crash ML workloads. Risk is highest in multi-tenant ML platforms, shared Jupyter environments, or any setup where untrusted users can execute TensorFlow code. Patch to TF 2.6.4, 2.7.2, 2.8.1, or 2.9.0 immediately.

Is CVE-2022-29202 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29202, increasing the risk of exploitation.

How to fix CVE-2022-29202?

1) Patch TensorFlow to versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately. 2) In multi-tenant environments, enforce strict memory limits via cgroups, ulimit, or Kubernetes resource quotas to contain blast radius. 3) Validate ragged tensor input dimensions and dtypes before passing to tf.ragged.constant in user-facing applications. 4) Monitor for abnormal memory consumption spikes in ML serving and training nodes. 5) Audit all internal tooling and ML pipeline dependencies for unpatched TensorFlow versions in your supply chain.

What systems are affected by CVE-2022-29202?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing pipelines, shared ML notebook environments, model development workstations.

What is the CVSS score for CVE-2022-29202?

CVE-2022-29202 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.ragged.constant` does not fully validate the input arguments. This results in a denial of service by consuming all available memory. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An adversary with access to a shared ML platform—such as an internal JupyterHub or ML training cluster—crafts a malicious notebook that calls tf.ragged.constant with specially crafted arguments designed to allocate unbounded memory. Executed directly or by tricking a colleague into running the notebook, the Python process exhausts available RAM, causing the ML node to swap, freeze, or OOM-kill co-located training jobs. In a CI/CD ML pipeline, a malicious contributor embeds this in a data preprocessing step to repeatably sabotage model training runs with minimal technical sophistication.

Weaknesses (CWE)

CWE-1284 Primary CWE-20 CWE-400

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 20, 2022
Last Modified
November 21, 2024
First Seen
May 20, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed