CVE-2022-29211 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment on CPU using tf.histogram_fixed_width is vulnerable to process crash if NaN values reach that operation—whether from malicious input injection or corrupted upstream data. Patch to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately; also add NaN validation at data ingestion boundaries in training and inference pipelines. No data exfiltration risk, but unpatched training pipelines consuming external datasets are silently crashable.

Risk Assessment

Medium operational risk, low strategic risk. CVSS 5.5 reflects local-only access requirement, but in ML pipelines 'local' often means any code or data reaching the preprocessing stage—which can include external datasets, user-uploaded files, or upstream model outputs. Exploitability is trivial once data access exists; impact is limited strictly to availability (process crash, no RCE, no data leak). Severity rises in automated training pipelines or CI/CD ML workflows where repeated crashes go undetected.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 27% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch

Upgrade TensorFlow to ≥2.9.0, ≥2.8.1, ≥2.7.2, or ≥2.6.4 per your current branch.
Input validation

Add tf.debugging.check_numerics or explicit NaN guards before any histogram operation: values = tf.where(tf.math.is_nan(values), tf.zeros_like(values), values).
Pipeline hardening

Enforce NaN/Inf rejection at all external data ingestion points before data reaches TF ops.
Detection

Monitor for unexpected TF process crashes or SIGABRT signals in training and inference jobs—these may indicate NaN injection attempts on unpatched systems.
Inventory

Audit codebase for tf.histogram_fixed_width usage; prioritize services consuming third-party or user-controlled float data.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Training Data AML.T0020 - Poison Training Data AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0043.003 - Manual Modification

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system safety and robustness

NIST AI RMF

MS-2.5 - Reliability and robustness testing

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure / Input Handling

Frequently Asked Questions

What is CVE-2022-29211?

Any TensorFlow deployment on CPU using tf.histogram_fixed_width is vulnerable to process crash if NaN values reach that operation—whether from malicious input injection or corrupted upstream data. Patch to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately; also add NaN validation at data ingestion boundaries in training and inference pipelines. No data exfiltration risk, but unpatched training pipelines consuming external datasets are silently crashable.

Is CVE-2022-29211 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29211, increasing the risk of exploitation.

How to fix CVE-2022-29211?

1. **Patch**: Upgrade TensorFlow to ≥2.9.0, ≥2.8.1, ≥2.7.2, or ≥2.6.4 per your current branch. 2. **Input validation**: Add tf.debugging.check_numerics or explicit NaN guards before any histogram operation: `values = tf.where(tf.math.is_nan(values), tf.zeros_like(values), values)`. 3. **Pipeline hardening**: Enforce NaN/Inf rejection at all external data ingestion points before data reaches TF ops. 4. **Detection**: Monitor for unexpected TF process crashes or SIGABRT signals in training and inference jobs—these may indicate NaN injection attempts on unpatched systems. 5. **Inventory**: Audit codebase for tf.histogram_fixed_width usage; prioritize services consuming third-party or user-controlled float data.

What systems are affected by CVE-2022-29211?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing, model serving, ML monitoring and observability.

What is the CVSS score for CVE-2022-29211?

CVE-2022-29211 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.histogram_fixed_width` is vulnerable to a crash when the values array contain `Not a Number` (`NaN`) elements. The implementation assumes that all floating point operations are defined and then converts a floating point result to an integer index. If `values` contains `NaN` then the result of the division is still `NaN` and the cast to `int32` would result in a crash. This only occurs on the CPU implementation. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An adversary with write access to a training dataset (e.g., contributing poisoned data to a shared data lake, or manipulating an upstream data pipeline) injects NaN values into numeric feature columns. When the downstream TF training job calls tf.histogram_fixed_width to compute feature distributions—common in monitoring, logging, or preprocessing steps—the CPU kernel performs an undefined NaN-to-int32 cast and crashes. In an automated ML pipeline this disrupts or halts training without triggering security alerts, acting as a low-noise denial-of-service that could be used to delay model updates or cause silent pipeline failures.