CVE-2022-29211: TensorFlow NaN input crashes

CISO Take

Any TensorFlow deployment on CPU using tf.histogram_fixed_width is vulnerable to process crash if NaN values reach that operation—whether from malicious input injection or corrupted upstream data. Patch to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately; also add NaN validation at data ingestion boundaries in training and inference pipelines. No data exfiltration risk, but unpatched training pipelines consuming external datasets are silently crashable.

What is the risk?

Medium operational risk, low strategic risk. CVSS 5.5 reflects local-only access requirement, but in ML pipelines 'local' often means any code or data reaching the preprocessing stage—which can include external datasets, user-uploaded files, or upstream model outputs. Exploitability is trivial once data access exists; impact is limited strictly to availability (process crash, no RCE, no data leak). Severity rises in automated training pipelines or CI/CD ML workflows where repeated crashes go undetected.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 23% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch

Upgrade TensorFlow to ≥2.9.0, ≥2.8.1, ≥2.7.2, or ≥2.6.4 per your current branch.
Input validation

Add tf.debugging.check_numerics or explicit NaN guards before any histogram operation: values = tf.where(tf.math.is_nan(values), tf.zeros_like(values), values).
Pipeline hardening

Enforce NaN/Inf rejection at all external data ingestion points before data reaches TF ops.
Detection

Monitor for unexpected TF process crashes or SIGABRT signals in training and inference jobs—these may indicate NaN injection attempts on unpatched systems.
Inventory

Audit codebase for tf.histogram_fixed_width usage; prioritize services consuming third-party or user-controlled float data.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Training Data AML.T0020 - Poison Training Data AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0043.003 - Manual Modification

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system safety and robustness

NIST AI RMF

MS-2.5 - Reliability and robustness testing

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure / Input Handling

Frequently Asked Questions

What is CVE-2022-29211?

Any TensorFlow deployment on CPU using tf.histogram_fixed_width is vulnerable to process crash if NaN values reach that operation—whether from malicious input injection or corrupted upstream data. Patch to TF 2.9.0, 2.8.1, 2.7.2, or 2.6.4 immediately; also add NaN validation at data ingestion boundaries in training and inference pipelines. No data exfiltration risk, but unpatched training pipelines consuming external datasets are silently crashable.

Is CVE-2022-29211 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29211, increasing the risk of exploitation.

How to fix CVE-2022-29211?

1. **Patch**: Upgrade TensorFlow to ≥2.9.0, ≥2.8.1, ≥2.7.2, or ≥2.6.4 per your current branch. 2. **Input validation**: Add tf.debugging.check_numerics or explicit NaN guards before any histogram operation: `values = tf.where(tf.math.is_nan(values), tf.zeros_like(values), values)`. 3. **Pipeline hardening**: Enforce NaN/Inf rejection at all external data ingestion points before data reaches TF ops. 4. **Detection**: Monitor for unexpected TF process crashes or SIGABRT signals in training and inference jobs—these may indicate NaN injection attempts on unpatched systems. 5. **Inventory**: Audit codebase for tf.histogram_fixed_width usage; prioritize services consuming third-party or user-controlled float data.

What systems are affected by CVE-2022-29211?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing, model serving, ML monitoring and observability.

What is the CVSS score for CVE-2022-29211?

CVE-2022-29211 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.31%.

What is the AI security impact?

Affected AI Architectures

training pipelinesdata preprocessingmodel servingML monitoring and observability

MITRE ATLAS Techniques

AML.T0020 Poison Training Data

AML.T0029 Denial of AI Service

AML.T0043 Craft Adversarial Data

AML.T0043.003 Manual Modification

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.histogram_fixed_width` is vulnerable to a crash when the values array contain `Not a Number` (`NaN`) elements. The implementation assumes that all floating point operations are defined and then converts a floating point result to an integer index. If `values` contains `NaN` then the result of the division is still `NaN` and the cast to `int32` would result in a crash. This only occurs on the CPU implementation. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An adversary with write access to a training dataset (e.g., contributing poisoned data to a shared data lake, or manipulating an upstream data pipeline) injects NaN values into numeric feature columns. When the downstream TF training job calls tf.histogram_fixed_width to compute feature distributions—common in monitoring, logging, or preprocessing steps—the CPU kernel performs an undefined NaN-to-int32 cast and crashes. In an automated ML pipeline this disrupts or halts training without triggering security alerts, acting as a low-noise denial-of-service that could be used to delay model updates or cause silent pipeline failures.

Weaknesses (CWE)

CWE-20 Improper Input Validation

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

[Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
[Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.