CVE-2022-29209: TensorFlow CHECK macro type

CISO Take

A type confusion bug in TensorFlow's internal assertion macros allows local, low-privileged users to crash TensorFlow processes. Patch to TF 2.9.0/2.8.1/2.7.2/2.6.4 immediately — no workaround exists. Risk is strictly availability; no data exfiltration or remote code execution vector is known.

What is the risk?

Medium risk in typical enterprise deployments. Local access with low privileges is required, limiting remote exploitation. In multi-tenant ML platforms, shared Jupyter environments, or CI/CD pipelines where multiple users submit TensorFlow jobs, a malicious or compromised insider could deliberately crash training jobs or inference servers. Cloud ML environments (SageMaker, Vertex AI) where external users submit jobs represent the highest exposure surface.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 30% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 across all environments.
Audit dev, CI/CD, and production systems via 'pip show tensorflow' or container image scans.
In multi-tenant ML clusters, restrict job submission privileges until patched.
Monitor for unexpected TF process crashes or training job aborts as an exploitation indicator.
In containerized deployments, rebuild and redeploy images with patched TF base layers.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.2 - AI system software and data management

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM04 - Model Denial of Service LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-29209?

A type confusion bug in TensorFlow's internal assertion macros allows local, low-privileged users to crash TensorFlow processes. Patch to TF 2.9.0/2.8.1/2.7.2/2.6.4 immediately — no workaround exists. Risk is strictly availability; no data exfiltration or remote code execution vector is known.

Is CVE-2022-29209 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29209, increasing the risk of exploitation.

How to fix CVE-2022-29209?

1. Upgrade TensorFlow to 2.9.0, 2.8.1, 2.7.2, or 2.6.4 across all environments. 2. Audit dev, CI/CD, and production systems via 'pip show tensorflow' or container image scans. 3. In multi-tenant ML clusters, restrict job submission privileges until patched. 4. Monitor for unexpected TF process crashes or training job aborts as an exploitation indicator. 5. In containerized deployments, rebuild and redeploy images with patched TF base layers.

What systems are affected by CVE-2022-29209?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, notebook environments, CI/CD ML pipelines.

What is the CVSS score for CVE-2022-29209?

CVE-2022-29209 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.39%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingnotebook environmentsCI/CD ML pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.10.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04, LLM05

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the macros that TensorFlow uses for writing assertions (e.g., `CHECK_LT`, `CHECK_GT`, etc.) have an incorrect logic when comparing `size_t` and `int` values. Due to type conversion rules, several of the macros would trigger incorrectly. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An insider or compromised ML engineer with local access to a shared training cluster submits a TensorFlow job crafted to trigger the size_t/int comparison bug in a CHECK macro. The assertion misfires, aborting the TF process mid-training. In a shared GPU cluster, repeated exploitation terminates concurrent training runs, causing compute loss and availability disruption to dependent AI services. In a TF Serving deployment, crafted inference inputs that hit the buggy code path take down the serving process, denying service to downstream applications.

Weaknesses (CWE)

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

CWE-843 — Access of Resource Using Incompatible Type ('Type Confusion'): The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

Source: MITRE CWE corpus.