CVE-2022-29206 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

This medium-severity TensorFlow flaw allows any local user with low privileges to crash the ML runtime by submitting malformed SparseTensorDenseAdd inputs, triggering a null pointer dereference. No data exfiltration or code execution is possible, but disruption to training jobs and inference workers is trivially achievable. Patch to TF 2.6.4, 2.7.2, 2.8.1, or 2.9.0+ immediately, with priority on shared multi-tenant ML environments where untrusted users can submit tensor operations.

Risk Assessment

Medium risk in isolated single-tenant deployments; elevated in shared or multi-tenant ML infrastructure. CVSS 5.5 reflects local-only access and pure availability impact. Exploitability is trivial—low complexity, low privilege, no user interaction required. The undefined behavior from binding a reference to nullptr consistently manifests as a process crash. No evidence of active exploitation or weaponized PoC in the wild as of disclosure. Risk increases proportionally with the number of users sharing a TensorFlow environment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 23% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade TensorFlow to 2.6.4, 2.7.2, 2.8.1, or 2.9.0+—patches available at the linked GitHub releases.
Input validation: Implement shape and index bounds validation for sparse tensors at API ingestion boundaries before passing to kernel ops.
Access control: Restrict raw ops API access (tf.raw_ops) to authenticated and authorized internal users only; do not expose it in public-facing inference endpoints.
Process isolation: Run TF inference workers in separate processes or containers so a single crash does not cascade to the full serving fleet.
Detection: Alert on unexpected SIGSEGV or abnormal TF process termination events in ML serving infrastructure logs.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI System Robustness and Availability

NIST AI RMF

MANAGE 2.2 - Manage AI Risks from Third-Party Dependencies

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-29206?

This medium-severity TensorFlow flaw allows any local user with low privileges to crash the ML runtime by submitting malformed SparseTensorDenseAdd inputs, triggering a null pointer dereference. No data exfiltration or code execution is possible, but disruption to training jobs and inference workers is trivially achievable. Patch to TF 2.6.4, 2.7.2, 2.8.1, or 2.9.0+ immediately, with priority on shared multi-tenant ML environments where untrusted users can submit tensor operations.

Is CVE-2022-29206 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29206, increasing the risk of exploitation.

How to fix CVE-2022-29206?

1. Patch: Upgrade TensorFlow to 2.6.4, 2.7.2, 2.8.1, or 2.9.0+—patches available at the linked GitHub releases. 2. Input validation: Implement shape and index bounds validation for sparse tensors at API ingestion boundaries before passing to kernel ops. 3. Access control: Restrict raw ops API access (tf.raw_ops) to authenticated and authorized internal users only; do not expose it in public-facing inference endpoints. 4. Process isolation: Run TF inference workers in separate processes or containers so a single crash does not cascade to the full serving fleet. 5. Detection: Alert on unexpected SIGSEGV or abnormal TF process termination events in ML serving infrastructure logs.

What systems are affected by CVE-2022-29206?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML compute environments, Jupyter/notebook environments.

What is the CVSS score for CVE-2022-29206?

CVE-2022-29206 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.SparseTensorDenseAdd` does not fully validate the input arguments. In this case, a reference gets bound to a `nullptr` during kernel execution. This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An attacker with access to a shared TensorFlow training cluster—common in academic or enterprise ML platforms—submits a crafted tf.raw_ops.SparseTensorDenseAdd call where sparse indices and dense shape dimensions are deliberately mismatched. The kernel attempts to bind a reference to a null pointer during execution, triggering undefined behavior that immediately crashes the TF process. In a Jupyter notebook server scenario, this terminates the kernel, aborting co-located users' training runs. In a model serving context with raw ops exposed, a single malformed HTTP request crashes the inference worker, causing a service outage until process restart. No special AI/ML expertise required beyond basic TensorFlow op knowledge.