CVE-2022-35935 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment exposing SobolSample operations through an inference API that accepts untrusted inputs is vulnerable to unauthenticated service crashes with a single malformed request. Patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. If patching is delayed, enforce scalar tensor input validation at the API gateway before requests reach the TF runtime.

Risk Assessment

Network-accessible (AV:N), zero authentication required (PR:N), no user interaction needed — trivially exploitable by any attacker who can reach the TF serving endpoint. Impact is strictly availability (A:H); no confidentiality or integrity risk. Risk is elevated in production ML serving environments with uptime SLAs or in training pipelines where a crash halts long-running jobs. Lower risk if TF operations are behind strong authentication or if SobolSampleOp is not used in the exposed workload.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 26% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Upgrade TensorFlow to ≥2.10.0; if on an older supported branch, apply cherrypick patches for 2.9.1, 2.8.1, or 2.7.2.
Add input validation middleware at the API boundary to enforce scalar rank/shape for any Sobol-related operations before tensors reach the TF runtime.
If upgrade is blocked, consider disabling or removing SobolSampleOp access from externally accessible endpoints.
Monitor for abnormal process restarts or crash loops in TF serving pods as an indicator of exploitation attempts.
Apply network-level controls (WAF rules, authentication) to TF inference APIs to reduce the unauthenticated attack surface.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain deployment of trustworthy AI

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-35935?

Any TensorFlow deployment exposing SobolSample operations through an inference API that accepts untrusted inputs is vulnerable to unauthenticated service crashes with a single malformed request. Patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. If patching is delayed, enforce scalar tensor input validation at the API gateway before requests reach the TF runtime.

Is CVE-2022-35935 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-35935, increasing the risk of exploitation.

How to fix CVE-2022-35935?

1. Upgrade TensorFlow to ≥2.10.0; if on an older supported branch, apply cherrypick patches for 2.9.1, 2.8.1, or 2.7.2. 2. Add input validation middleware at the API boundary to enforce scalar rank/shape for any Sobol-related operations before tensors reach the TF runtime. 3. If upgrade is blocked, consider disabling or removing SobolSampleOp access from externally accessible endpoints. 4. Monitor for abnormal process restarts or crash loops in TF serving pods as an indicator of exploitation attempts. 5. Apply network-level controls (WAF rules, authentication) to TF inference APIs to reduce the unauthenticated attack surface.

What systems are affected by CVE-2022-35935?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps pipelines.

What is the CVSS score for CVE-2022-35935?

CVE-2022-35935 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. The implementation of SobolSampleOp is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by assuming `input(0)`, `input(1)`, and `input(2)` to be scalar. This issue has been patched in GitHub commit c65c67f88ad770662e8f191269a907bf2b94b1bf. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary discovers a publicly accessible TensorFlow serving endpoint (via API docs, Shodan, or reconnaissance of a target's ML inference infrastructure). They craft a request that passes a 2D or higher-rank tensor to a model invoking SobolSampleOp, where only scalar inputs are expected. The internal CHECK assertion fires, crashing the TF process. On Kubernetes or managed ML serving platforms with auto-restart enabled, the attacker loops this request at low frequency to maintain persistent service unavailability while evading rate-limit thresholds — resulting in effective DoS at near-zero cost.