AI Threat Alert

CVE-2022-35934: TensorFlow: tf.reshape DoS via integer overflow

HIGH PoC AVAILABLE
Published September 16, 2022
CISO Take

A remote, unauthenticated attacker can crash any TensorFlow serving endpoint by submitting a crafted tensor that overflows the element count in tf.reshape, triggering an assertion failure. No privileges or user interaction required — CVSS 7.5. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; prioritize internet-facing inference APIs.

What is the risk?

High severity due to network-accessible, zero-authentication DoS with low attack complexity. While the impact is limited to availability (no data exfiltration or code execution), AI inference infrastructure is a high-value target for availability attacks — downtime of model-serving endpoints directly impacts business operations. No active exploitation reported and not in CISA KEV, reducing urgency slightly. Organizations with public-facing TensorFlow serving APIs are most exposed.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 30% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately.

  2. Input validation: Add server-side bounds checks on tensor shape dimensions before passing to tf.reshape — reject inputs where the product of dimensions exceeds a safe threshold (e.g., 2^31-1 elements).

  3. API gateway: Rate-limit and validate Content-Length/shape parameters at the load balancer level.

  4. Isolation: Run inference workers in separate processes/containers so a crash does not take down the entire serving stack.

  5. Detection: Alert on abnormal process crash rates or SIGABRT signals in TensorFlow serving processes.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0029 AML.T0040 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
8.4 - AI Risk Treatment 9.1 - Monitoring, Measurement, Analysis and Evaluation
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain effectiveness of deployed AI MAP 1.6 - Risks and potential impacts are documented
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-35934?

A remote, unauthenticated attacker can crash any TensorFlow serving endpoint by submitting a crafted tensor that overflows the element count in tf.reshape, triggering an assertion failure. No privileges or user interaction required — CVSS 7.5. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; prioritize internet-facing inference APIs.

Is CVE-2022-35934 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-35934, increasing the risk of exploitation.

How to fix CVE-2022-35934?

1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. 2. Input validation: Add server-side bounds checks on tensor shape dimensions before passing to tf.reshape — reject inputs where the product of dimensions exceeds a safe threshold (e.g., 2^31-1 elements). 3. API gateway: Rate-limit and validate Content-Length/shape parameters at the load balancer level. 4. Isolation: Run inference workers in separate processes/containers so a crash does not take down the entire serving stack. 5. Detection: Alert on abnormal process crash rates or SIGABRT signals in TensorFlow serving processes.

What systems are affected by CVE-2022-35934?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines, batch scoring pipelines.

What is the CVSS score for CVE-2022-35934?

CVE-2022-35934 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

model servinginference endpointstraining pipelinesbatch scoring pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 8.4, 9.1
NIST AI RMF: MANAGE 2.2, MAP 1.6
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. The implementation of tf.reshape op in TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by overflowing the number of elements in a tensor. This issue has been patched in GitHub commit 61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a public TensorFlow Serving gRPC or REST endpoint (e.g., via Shodan or by probing known model API paths). They craft a PredictRequest with a tensor specifying a shape whose element product overflows int64, such as [2^32, 2^32]. When tf.reshape processes this input, the internal CHECK assertion fires, triggering SIGABRT and crashing the serving process. The attacker automates this in a loop to maintain continuous downtime. No ML knowledge is required — the payload is a trivially crafted numeric array.

Weaknesses (CWE)

CWE-617 Reachable Assertion Primary CWE-617 Reachable Assertion

CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

  • [Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
  • [Implementation] Perform input validation on user data.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed