CVE-2022-35964 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment running versions prior to 2.10.0/2.9.1/2.8.1/2.7.2 that exposes LSTM gradient operations over a network is vulnerable to unauthenticated remote crash. Patch immediately to the fixed versions; no workaround exists. Prioritize training infrastructure and model-serving endpoints that accept user-controlled tensor inputs.

Risk Assessment

CVSS 7.5 with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable by any network-adjacent attacker with no authentication. The impact is confined to availability (no confidentiality or integrity loss), but repeated exploitation can permanently disrupt training jobs or inference services. Exposure is high in organizations using TF-Serving or Kubeflow pipelines with externally reachable endpoints.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately.
Network isolation: restrict TF Serving and training API endpoints to internal networks; do not expose raw TF op execution to untrusted clients.
Input validation: add upstream schema validation to reject malformed tensor shapes before they reach TF ops.
Detection: monitor for abnormal process crashes or pod restarts in ML infrastructure; alert on TF worker SIGSEGV signals.
No workaround exists per vendor advisory—patching is the only remediation.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Training Data Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system availability and resilience

NIST AI RMF

GOVERN 6.1 - Policies for AI risk and vulnerability management MANAGE 2.2 - Mechanisms to sustain AI risk management

Frequently Asked Questions

What is CVE-2022-35964?

Any TensorFlow deployment running versions prior to 2.10.0/2.9.1/2.8.1/2.7.2 that exposes LSTM gradient operations over a network is vulnerable to unauthenticated remote crash. Patch immediately to the fixed versions; no workaround exists. Prioritize training infrastructure and model-serving endpoints that accept user-controlled tensor inputs.

Is CVE-2022-35964 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-35964, increasing the risk of exploitation.

How to fix CVE-2022-35964?

1. Patch: upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. 2. Network isolation: restrict TF Serving and training API endpoints to internal networks; do not expose raw TF op execution to untrusted clients. 3. Input validation: add upstream schema validation to reject malformed tensor shapes before they reach TF ops. 4. Detection: monitor for abnormal process crashes or pod restarts in ML infrastructure; alert on TF worker SIGSEGV signals. 5. No workaround exists per vendor advisory—patching is the only remediation.

What systems are affected by CVE-2022-35964?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML infrastructure.

What is the CVSS score for CVE-2022-35964?

CVE-2022-35964 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. The implementation of `BlockLSTMGradV2` does not fully validate its inputs. This results in a a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 2a458fc4866505be27c62f81474ecb2b870498fa. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a publicly reachable TensorFlow Serving endpoint or an internal MLOps API (e.g., Kubeflow pipeline trigger) that internally invokes LSTM gradient operations. They craft a malformed tensor input with unexpected shape or dtype for the BlockLSTMGradV2 kernel—no authentication or AI/ML expertise required, just knowledge of TF op signatures (publicly documented). The malformed input bypasses TF's incomplete input validation and triggers a segfault, killing the TF process. In a training cluster, this aborts long-running jobs. In a serving context, it takes the inference endpoint offline. Automated retries with the same payload produce a sustained DoS.