CVE-2022-29213 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

Low operational risk — local-only DoS in TensorFlow's rfft2d/rfft3d signal functions, no confidentiality or integrity impact. Patches have been available since May 2022 across TF 2.6.4, 2.7.2, 2.8.1, and 2.9.0. Prioritize upgrade only if ML teams are running unpatched TensorFlow in shared compute environments where crashes could disrupt training pipelines or model serving.

Risk Assessment

Low-medium operational risk. Local access required limits exploitation to insider threats, compromised developer machines, or multi-tenant shared compute environments (Jupyter hubs, ML platforms). No confidentiality or integrity impact — availability only. Not in CISA KEV with no evidence of active exploitation. Organizations running TF ≥2.6.4, ≥2.7.2, ≥2.8.1, or ≥2.9.0 are fully remediated. CVSS 5.5 appropriately reflects the constrained attack surface.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade TensorFlow to ≥2.6.4, ≥2.7.2, ≥2.8.1, or ≥2.9.0 — patches released May 2022.
Audit: Search codebase for tf.compat.v1.signal.rfft2d and tf.compat.v1.signal.rfft3d usage.
Compensating control: Add explicit tensor shape validation before passing inputs to these functions in untrusted-input scenarios.
Detection: Monitor for unexpected TF process crashes in ML infrastructure and alert on abnormal termination patterns.
Isolation: Run training jobs in isolated containers to contain blast radius of crashes in shared environments.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.8.4 - AI System Lifecycle — Vulnerability Management

NIST AI RMF

MANAGE 2.2 - AI Risk Treatment — Incident and Vulnerability Response

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2022-29213?

Low operational risk — local-only DoS in TensorFlow's rfft2d/rfft3d signal functions, no confidentiality or integrity impact. Patches have been available since May 2022 across TF 2.6.4, 2.7.2, 2.8.1, and 2.9.0. Prioritize upgrade only if ML teams are running unpatched TensorFlow in shared compute environments where crashes could disrupt training pipelines or model serving.

Is CVE-2022-29213 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29213, increasing the risk of exploitation.

How to fix CVE-2022-29213?

1. Patch: Upgrade TensorFlow to ≥2.6.4, ≥2.7.2, ≥2.8.1, or ≥2.9.0 — patches released May 2022. 2. Audit: Search codebase for tf.compat.v1.signal.rfft2d and tf.compat.v1.signal.rfft3d usage. 3. Compensating control: Add explicit tensor shape validation before passing inputs to these functions in untrusted-input scenarios. 4. Detection: Monitor for unexpected TF process crashes in ML infrastructure and alert on abnormal termination patterns. 5. Isolation: Run training jobs in isolated containers to contain blast radius of crashes in shared environments.

What systems are affected by CVE-2022-29213?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, research notebooks, shared ML compute.

What is the CVSS score for CVE-2022-29213?

CVE-2022-29213 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.11%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the `tf.compat.v1.signal.rfft2d` and `tf.compat.v1.signal.rfft3d` lack input validation and under certain condition can result in crashes (due to `CHECK`-failures). Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Exploitation Scenario

An attacker with local access to a shared ML compute environment (e.g., Jupyter Hub, shared GPU cluster) submits a crafted tensor with malformed dimensions to a model pipeline using TF's rfft2d/rfft3d operations. The missing input validation triggers a CHECK assertion failure, crashing the TensorFlow process and terminating co-located training runs. In a multi-tenant ML platform, this could be used to repeatedly sabotage competitors' training jobs or disrupt a model serving endpoint processing signal-based features — with no special ML knowledge required beyond knowing the target function signatures.