AI Threat Alert AI Threat Alert

CVE-2022-29209: TensorFlow: CHECK macro type confusion causes DoS

MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 21, 2022
CISO Take

A type confusion bug in TensorFlow's internal assertion macros allows local, low-privileged users to crash TensorFlow processes. Patch to TF 2.9.0/2.8.1/2.7.2/2.6.4 immediately — no workaround exists. Risk is strictly availability; no data exfiltration or remote code execution vector is known.

Risk Assessment

Medium risk in typical enterprise deployments. Local access with low privileges is required, limiting remote exploitation. In multi-tenant ML platforms, shared Jupyter environments, or CI/CD pipelines where multiple users submit TensorFlow jobs, a malicious or compromised insider could deliberately crash training jobs or inference servers. Cloud ML environments (SageMaker, Vertex AI) where external users submit jobs represent the highest exposure surface.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 26% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 across all environments.

  2. Audit dev, CI/CD, and production systems via 'pip show tensorflow' or container image scans.

  3. In multi-tenant ML clusters, restrict job submission privileges until patched.

  4. Monitor for unexpected TF process crashes or training job aborts as an exploitation indicator.

  5. In containerized deployments, rebuild and redeploy images with patched TF base layers.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.2 - AI system software and data management
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM04 - Model Denial of Service LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-29209?

A type confusion bug in TensorFlow's internal assertion macros allows local, low-privileged users to crash TensorFlow processes. Patch to TF 2.9.0/2.8.1/2.7.2/2.6.4 immediately — no workaround exists. Risk is strictly availability; no data exfiltration or remote code execution vector is known.

Is CVE-2022-29209 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29209, increasing the risk of exploitation.

How to fix CVE-2022-29209?

1. Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 across all environments. 2. Audit dev, CI/CD, and production systems via 'pip show tensorflow' or container image scans. 3. In multi-tenant ML clusters, restrict job submission privileges until patched. 4. Monitor for unexpected TF process crashes or training job aborts as an exploitation indicator. 5. In containerized deployments, rebuild and redeploy images with patched TF base layers.

What systems are affected by CVE-2022-29209?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, notebook environments, CI/CD ML pipelines.

What is the CVSS score for CVE-2022-29209?

CVE-2022-29209 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the macros that TensorFlow uses for writing assertions (e.g., `CHECK_LT`, `CHECK_GT`, etc.) have an incorrect logic when comparing `size_t` and `int` values. Due to type conversion rules, several of the macros would trigger incorrectly. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An insider or compromised ML engineer with local access to a shared training cluster submits a TensorFlow job crafted to trigger the size_t/int comparison bug in a CHECK macro. The assertion misfires, aborting the TF process mid-training. In a shared GPU cluster, repeated exploitation terminates concurrent training runs, causing compute loss and availability disruption to dependent AI services. In a TF Serving deployment, crafted inference inputs that hit the buggy code path take down the serving process, denying service to downstream applications.

Weaknesses (CWE)

CWE-843

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 21, 2022
Last Modified
November 21, 2024
First Seen
May 21, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed