AI Threat Alert

CVE-2022-29203: TensorFlow: DoS via SpaceToBatchND integer overflow

MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 20, 2022
CISO Take

A crafted tensor input to TensorFlow's SpaceToBatchND op triggers an integer overflow that crashes the process via assertion failure. Patch TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately on any inference or training infrastructure. No data exposure or code execution — threat is availability of ML pipelines, not data breach.

What is the risk?

Moderate operational risk for organizations running unpatched TensorFlow in inference services or training pipelines. CVSS 5.5 Medium reflects local attack vector, but in practice any system accepting external tensor inputs (e.g., model-as-a-service, gRPC/REST inference endpoints) effectively exposes this remotely. Availability-only impact limits blast radius, but persistent DoS against a production inference API has real business impact. Not actively exploited; patch is available.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 25% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade TensorFlow to ≥2.9.0 (or patched backports 2.8.1, 2.7.2, 2.6.4).

  2. Validate inputs at the API gateway layer: reject tensor shapes with abnormally large dimension values before they reach the TF runtime.

  3. Run inference workers with process isolation (e.g., separate pods per tenant in Kubernetes) to limit blast radius of a crash.

  4. Monitor for unexpected process exits / OOM kills on inference nodes as a detection signal.

  5. Enable model input schema validation in TF Serving to reject malformed shapes.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0029 AML.T0043 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
8.4 - AI system operation
NIST AI RMF
GOVERN-1.7 - Processes for AI risk management MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

Frequently Asked Questions

What is CVE-2022-29203?

A crafted tensor input to TensorFlow's SpaceToBatchND op triggers an integer overflow that crashes the process via assertion failure. Patch TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately on any inference or training infrastructure. No data exposure or code execution — threat is availability of ML pipelines, not data breach.

Is CVE-2022-29203 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29203, increasing the risk of exploitation.

How to fix CVE-2022-29203?

1. Patch: Upgrade TensorFlow to ≥2.9.0 (or patched backports 2.8.1, 2.7.2, 2.6.4). 2. Validate inputs at the API gateway layer: reject tensor shapes with abnormally large dimension values before they reach the TF runtime. 3. Run inference workers with process isolation (e.g., separate pods per tenant in Kubernetes) to limit blast radius of a crash. 4. Monitor for unexpected process exits / OOM kills on inference nodes as a detection signal. 5. Enable model input schema validation in TF Serving to reject malformed shapes.

What systems are affected by CVE-2022-29203?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, multi-tenant ML platforms.

What is the CVSS score for CVE-2022-29203?

CVE-2022-29203 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.33%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference APIsmulti-tenant ML platforms

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0043 Craft Adversarial Data
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 8.4
NIST AI RMF: GOVERN-1.7, MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.SpaceToBatchND` (in all backends such as XLA and handwritten kernels) is vulnerable to an integer overflow: The result of this integer overflow is used to allocate the output tensor, hence we get a denial of service via a `CHECK`-failure (assertion failure), as in TFSA-2021-198. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An adversary targeting a TensorFlow Serving deployment with a public REST/gRPC endpoint identifies a model that uses SpaceToBatchND (common in MobileNet, EfficientNet variants). They craft a prediction request with tensor block_shape or paddings values computed to overflow the integer used to allocate the output tensor. When submitted, the TF process hits the CHECK assertion and crashes. The adversary loops this request to maintain persistent denial of service against the inference endpoint, disrupting production ML-powered features (fraud detection, image classification, etc.) until the service is patched or restarted.

Weaknesses (CWE)

CWE-190 Integer Overflow or Wraparound

CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

  • [Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 20, 2022
Last Modified
November 21, 2024
First Seen
May 20, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed