CVE-2022-29204 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A missing input validation in TensorFlow's UnsortedSegmentJoin op allows any local low-privilege user to crash ML workloads by passing a negative num_segments value, triggering an assertion failure. Patch to TensorFlow 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately—especially on shared ML infrastructure. No data exfiltration or code execution is possible; impact is limited to availability.

Risk Assessment

Low-to-medium operational risk. Remote exploitation is impossible (local access required, low privileges). However, risk escalates significantly in shared ML environments—multi-tenant Jupyter hubs, shared training clusters, or internal model-serving APIs—where a malicious or compromised insider can weaponize this trivially. The assertion-based crash leaves no persistence, but can disrupt long-running training jobs or production inference services.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 19% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

1 step

1) Patch: Upgrade TensorFlow to ≥2.9.0, ≥2.8.1, ≥2.7.2, or ≥2.6.4. 2) Workaround: Add application-layer validation enforcing num_segments > 0 before calling tf.raw_ops.UnsortedSegmentJoin. 3) Detection: Alert on unexpected TensorFlow process exits and grep TF logs for 'CHECK failed' strings. 4) Harden access: Restrict local execution rights on ML training and serving hosts to trusted users only. 5) Inventory: Audit all TensorFlow versions across dev, staging, and production environments.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.3 - AI System Robustness and Resilience

NIST AI RMF

MANAGE 2.2 - Risk Treatment and Patch Management

Frequently Asked Questions

What is CVE-2022-29204?

A missing input validation in TensorFlow's UnsortedSegmentJoin op allows any local low-privilege user to crash ML workloads by passing a negative num_segments value, triggering an assertion failure. Patch to TensorFlow 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately—especially on shared ML infrastructure. No data exfiltration or code execution is possible; impact is limited to availability.

Is CVE-2022-29204 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29204, increasing the risk of exploitation.

How to fix CVE-2022-29204?

1) Patch: Upgrade TensorFlow to ≥2.9.0, ≥2.8.1, ≥2.7.2, or ≥2.6.4. 2) Workaround: Add application-layer validation enforcing num_segments > 0 before calling tf.raw_ops.UnsortedSegmentJoin. 3) Detection: Alert on unexpected TensorFlow process exits and grep TF logs for 'CHECK failed' strings. 4) Harden access: Restrict local execution rights on ML training and serving hosts to trusted users only. 5) Inventory: Audit all TensorFlow versions across dev, staging, and production environments.

What systems are affected by CVE-2022-29204?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference endpoints.

What is the CVSS score for CVE-2022-29204?

CVE-2022-29204 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.UnsortedSegmentJoin` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. The code assumes `num_segments` is a positive scalar but there is no validation. Since this value is used to allocate the output tensor, a negative value would result in a `CHECK`-failure (assertion failure), as per TFSA-2021-198. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An adversary with a low-privilege account on a shared ML training cluster constructs a minimal TensorFlow graph calling tf.raw_ops.UnsortedSegmentJoin with num_segments=-1. On execution, TensorFlow's internal CHECK macro fires and terminates the process. In a Kubernetes-based model-serving deployment, this crashes the inference pod, causing service unavailability until the pod restarts. In a multi-tenant Jupyter environment, a malicious user could repeatedly trigger the crash to disrupt co-tenants' training runs without leaving obvious forensic traces beyond a process crash.