CVE-2022-35934 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

A remote, unauthenticated attacker can crash any TensorFlow serving endpoint by submitting a crafted tensor that overflows the element count in tf.reshape, triggering an assertion failure. No privileges or user interaction required — CVSS 7.5. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; prioritize internet-facing inference APIs.

Risk Assessment

High severity due to network-accessible, zero-authentication DoS with low attack complexity. While the impact is limited to availability (no data exfiltration or code execution), AI inference infrastructure is a high-value target for availability attacks — downtime of model-serving endpoints directly impacts business operations. No active exploitation reported and not in CISA KEV, reducing urgency slightly. Organizations with public-facing TensorFlow serving APIs are most exposed.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately.
Input validation: Add server-side bounds checks on tensor shape dimensions before passing to tf.reshape — reject inputs where the product of dimensions exceeds a safe threshold (e.g., 2^31-1 elements).
API gateway: Rate-limit and validate Content-Length/shape parameters at the load balancer level.
Isolation: Run inference workers in separate processes/containers so a crash does not take down the entire serving stack.
Detection: Alert on abnormal process crash rates or SIGABRT signals in TensorFlow serving processes.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

8.4 - AI Risk Treatment 9.1 - Monitoring, Measurement, Analysis and Evaluation

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain effectiveness of deployed AI MAP 1.6 - Risks and potential impacts are documented

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-35934?

A remote, unauthenticated attacker can crash any TensorFlow serving endpoint by submitting a crafted tensor that overflows the element count in tf.reshape, triggering an assertion failure. No privileges or user interaction required — CVSS 7.5. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; prioritize internet-facing inference APIs.

Is CVE-2022-35934 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-35934, increasing the risk of exploitation.

How to fix CVE-2022-35934?

1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. 2. Input validation: Add server-side bounds checks on tensor shape dimensions before passing to tf.reshape — reject inputs where the product of dimensions exceeds a safe threshold (e.g., 2^31-1 elements). 3. API gateway: Rate-limit and validate Content-Length/shape parameters at the load balancer level. 4. Isolation: Run inference workers in separate processes/containers so a crash does not take down the entire serving stack. 5. Detection: Alert on abnormal process crash rates or SIGABRT signals in TensorFlow serving processes.

What systems are affected by CVE-2022-35934?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines, batch scoring pipelines.

What is the CVSS score for CVE-2022-35934?

CVE-2022-35934 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. The implementation of tf.reshape op in TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by overflowing the number of elements in a tensor. This issue has been patched in GitHub commit 61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a public TensorFlow Serving gRPC or REST endpoint (e.g., via Shodan or by probing known model API paths). They craft a PredictRequest with a tensor specifying a shape whose element product overflows int64, such as [2^32, 2^32]. When tf.reshape processes this input, the internal CHECK assertion fires, triggering SIGABRT and crashing the serving process. The attacker automates this in a loop to maintain continuous downtime. No ML knowledge is required — the payload is a trivially crafted numeric array.