CVE-2022-29203 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A crafted tensor input to TensorFlow's SpaceToBatchND op triggers an integer overflow that crashes the process via assertion failure. Patch TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately on any inference or training infrastructure. No data exposure or code execution — threat is availability of ML pipelines, not data breach.

Risk Assessment

Moderate operational risk for organizations running unpatched TensorFlow in inference services or training pipelines. CVSS 5.5 Medium reflects local attack vector, but in practice any system accepting external tensor inputs (e.g., model-as-a-service, gRPC/REST inference endpoints) effectively exposes this remotely. Availability-only impact limits blast radius, but persistent DoS against a production inference API has real business impact. Not actively exploited; patch is available.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade TensorFlow to ≥2.9.0 (or patched backports 2.8.1, 2.7.2, 2.6.4).
Validate inputs at the API gateway layer: reject tensor shapes with abnormally large dimension values before they reach the TF runtime.
Run inference workers with process isolation (e.g., separate pods per tenant in Kubernetes) to limit blast radius of a crash.
Monitor for unexpected process exits / OOM kills on inference nodes as a detection signal.
Enable model input schema validation in TF Serving to reject malformed shapes.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

8.4 - AI system operation

NIST AI RMF

GOVERN-1.7 - Processes for AI risk management MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

Frequently Asked Questions

What is CVE-2022-29203?

A crafted tensor input to TensorFlow's SpaceToBatchND op triggers an integer overflow that crashes the process via assertion failure. Patch TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately on any inference or training infrastructure. No data exposure or code execution — threat is availability of ML pipelines, not data breach.

Is CVE-2022-29203 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29203, increasing the risk of exploitation.

How to fix CVE-2022-29203?

1. Patch: Upgrade TensorFlow to ≥2.9.0 (or patched backports 2.8.1, 2.7.2, 2.6.4). 2. Validate inputs at the API gateway layer: reject tensor shapes with abnormally large dimension values before they reach the TF runtime. 3. Run inference workers with process isolation (e.g., separate pods per tenant in Kubernetes) to limit blast radius of a crash. 4. Monitor for unexpected process exits / OOM kills on inference nodes as a detection signal. 5. Enable model input schema validation in TF Serving to reject malformed shapes.

What systems are affected by CVE-2022-29203?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, multi-tenant ML platforms.

What is the CVSS score for CVE-2022-29203?

CVE-2022-29203 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.SpaceToBatchND` (in all backends such as XLA and handwritten kernels) is vulnerable to an integer overflow: The result of this integer overflow is used to allocate the output tensor, hence we get a denial of service via a `CHECK`-failure (assertion failure), as in TFSA-2021-198. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An adversary targeting a TensorFlow Serving deployment with a public REST/gRPC endpoint identifies a model that uses SpaceToBatchND (common in MobileNet, EfficientNet variants). They craft a prediction request with tensor block_shape or paddings values computed to overflow the integer used to allocate the output tensor. When submitted, the TF process hits the CHECK assertion and crashes. The adversary loops this request to maintain persistent denial of service against the inference endpoint, disrupting production ML-powered features (fraud detection, image classification, etc.) until the service is patched or restarted.