CVE-2022-29205: TensorFlow NULL deref DoS

Q: Is CVE-2022-29205 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29205, increasing the risk of exploitation.

Q: How to fix CVE-2022-29205?

1. PATCH: Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 depending on your pinned version. Patch is available via pip: `pip install tensorflow>=2.9.0`. 2. WORKAROUND (if patching is blocked): Audit codebases for tf.compat.v1 usage and restrict which ops are called; avoid quantized type operations via the compat.v1 API. 3. ISOLATION: In multi-tenant environments (JupyterHub, shared training servers), ensure user-submitted code runs in isolated containers or with process-level sandboxing so a crash does not affect other tenants. 4. MONITORING: Alert on unexpected TF process crashes (SIGABRT/SIGSEGV from tensorflow processes) in serving infrastructure as potential abuse indicators. 5. INVENTORY: Identify all ML services running TF versions < 2.6.4 using your software asset inventory.

Q: What systems are affected by CVE-2022-29205?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference.

Q: What is the CVSS score for CVE-2022-29205?

CVE-2022-29205 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.32%.

CISO Take

A local attacker with minimal privileges can crash any TensorFlow process by invoking legacy tf.compat.v1 ops that lack quantized type support, triggering a NULL pointer dereference. Patch immediately to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — the fix is straightforward and patches are available. The local-only attack vector limits blast radius, but multi-tenant ML platforms (shared Jupyter/Colab environments, MLOps pipelines with user-submitted code) are meaningfully exposed.

What is the risk?

Moderate operational risk for AI/ML teams. CVSS 5.5 reflects the local attack vector, which prevents remote exploitation and limits exposure. However, in multi-tenant ML development environments — shared notebook servers, training clusters with multiple users, or inference services that accept user-provided model code — a low-privileged user can reliably crash the TF runtime with a trivial one-liner. The vulnerability is in the legacy compatibility shim (tf.compat.v1), meaning older codebases and migration-phase projects are disproportionately exposed. No active exploitation in the wild; not in CISA KEV.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 23% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

PATCH

Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 depending on your pinned version. Patch is available via pip: pip install tensorflow>=2.9.0.
WORKAROUND (if patching is blocked): Audit codebases for tf.compat.v1 usage and restrict which ops are called; avoid quantized type operations via the compat.v1 API.
ISOLATION

In multi-tenant environments (JupyterHub, shared training servers), ensure user-submitted code runs in isolated containers or with process-level sandboxing so a crash does not affect other tenants.
MONITORING

Alert on unexpected TF process crashes (SIGABRT/SIGSEGV from tensorflow processes) in serving infrastructure as potential abuse indicators.
INVENTORY

Identify all ML services running TF versions < 2.6.4 using your software asset inventory.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN-1.7 - Processes for decommissioning AI systems MANAGE-2.2 - Mechanisms to sustain AI risk management

Frequently Asked Questions

What is CVE-2022-29205?

A local attacker with minimal privileges can crash any TensorFlow process by invoking legacy tf.compat.v1 ops that lack quantized type support, triggering a NULL pointer dereference. Patch immediately to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — the fix is straightforward and patches are available. The local-only attack vector limits blast radius, but multi-tenant ML platforms (shared Jupyter/Colab environments, MLOps pipelines with user-submitted code) are meaningfully exposed.

Is CVE-2022-29205 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29205, increasing the risk of exploitation.

How to fix CVE-2022-29205?

1. PATCH: Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 depending on your pinned version. Patch is available via pip: `pip install tensorflow>=2.9.0`. 2. WORKAROUND (if patching is blocked): Audit codebases for tf.compat.v1 usage and restrict which ops are called; avoid quantized type operations via the compat.v1 API. 3. ISOLATION: In multi-tenant environments (JupyterHub, shared training servers), ensure user-submitted code runs in isolated containers or with process-level sandboxing so a crash does not affect other tenants. 4. MONITORING: Alert on unexpected TF process crashes (SIGABRT/SIGSEGV from tensorflow processes) in serving infrastructure as potential abuse indicators. 5. INVENTORY: Identify all ML services running TF versions < 2.6.4 using your software asset inventory.

What systems are affected by CVE-2022-29205?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference.

What is the CVSS score for CVE-2022-29205?

CVE-2022-29205 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servinginference

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

ISO 42001: 8.4

NIST AI RMF: GOVERN-1.7, MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, there is a potential for segfault / denial of service in TensorFlow by calling `tf.compat.v1.*` ops which don't yet have support for quantized types, which was added after migration to TensorFlow 2.x. In these scenarios, since the kernel is missing, a `nullptr` value is passed to `ParseDimensionValue` for the `py_value` argument. Then, this is dereferenced, resulting in segfault. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An attacker with local access to a shared ML training server (e.g., a data scientist on a multi-user JupyterHub or a malicious insider on an MLOps platform) imports TensorFlow and calls a tf.compat.v1 op that internally lacks quantized type kernel support. The missing kernel causes a nullptr to be passed to ParseDimensionValue, which immediately dereferences it, generating a SIGSEGV and terminating the TF process. On a shared inference server, this kills active model serving for all users. On a training cluster, it aborts long-running GPU jobs. The attack requires no special knowledge — a one-line Python call is sufficient — and is 100% reliable on vulnerable versions.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference CWE-908 Use of Uninitialized Resource

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

[Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
[Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.