CVE-2022-35965 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

A remotely exploitable NULL pointer dereference in TensorFlow's LowerBound/UpperBound ops allows an unauthenticated attacker to crash any TF Serving instance by sending a crafted empty tensor — no ML knowledge required. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; there are no workarounds. If you expose TensorFlow inference endpoints to untrusted networks, treat this as urgent: sustained exploitation takes down your inference API entirely.

Risk Assessment

HIGH operational risk for organizations running internet-exposed TensorFlow Serving endpoints. CVSS 7.5 reflects the worst-case scenario accurately: network-reachable, zero authentication, zero user interaction, and trivially repeatable. The blast radius is availability-only — no data exfiltration or code execution — but in production ML pipelines, a downed inference API cascades into application-level outages. Internal-only deployments behind network controls are materially lower risk. Not in CISA KEV and no confirmed active exploitation, which tempers urgency slightly for well-segmented environments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 22% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — no workarounds exist per the advisory.
INPUT VALIDATION

Add a preprocessing layer or API gateway check to reject empty tensors before they reach TF ops; validate tensor shapes at ingress.
NETWORK CONTROLS

If patching is delayed, restrict TF Serving ports (8500/8501) to trusted networks; do not expose directly to internet.
DETECTION

Monitor inference endpoints for repeated 500 errors or service restarts — patterns of empty or malformed tensor submissions may indicate probing.
CONTAINER RESTART POLICY

Ensure TF Serving containers have auto-restart configured to minimize downtime if exploited before patching.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 17 - Quality Management System Article 9 - Risk Management System

ISO 42001

A.6.2.6 - AI System Availability and Reliability

NIST AI RMF

MANAGE 2.4 - Residual risks are managed

Frequently Asked Questions

What is CVE-2022-35965?

A remotely exploitable NULL pointer dereference in TensorFlow's LowerBound/UpperBound ops allows an unauthenticated attacker to crash any TF Serving instance by sending a crafted empty tensor — no ML knowledge required. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; there are no workarounds. If you expose TensorFlow inference endpoints to untrusted networks, treat this as urgent: sustained exploitation takes down your inference API entirely.

Is CVE-2022-35965 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-35965, increasing the risk of exploitation.

How to fix CVE-2022-35965?

1. PATCH: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — no workarounds exist per the advisory. 2. INPUT VALIDATION: Add a preprocessing layer or API gateway check to reject empty tensors before they reach TF ops; validate tensor shapes at ingress. 3. NETWORK CONTROLS: If patching is delayed, restrict TF Serving ports (8500/8501) to trusted networks; do not expose directly to internet. 4. DETECTION: Monitor inference endpoints for repeated 500 errors or service restarts — patterns of empty or malformed tensor submissions may indicate probing. 5. CONTAINER RESTART POLICY: Ensure TF Serving containers have auto-restart configured to minimize downtime if exploited before patching.

What systems are affected by CVE-2022-35965?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines, recommendation/ranking systems.

What is the CVSS score for CVE-2022-35965?

CVE-2022-35965 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. If `LowerBound` or `UpperBound` is given an empty`sorted_inputs` input, it results in a `nullptr` dereference, leading to a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit bce3717eaef4f769019fd18e990464ca4a2efeea. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a publicly accessible TensorFlow Serving REST endpoint (port 8501) via Shodan or similar scanning. They send a POST request to /v1/models/target_model:predict with a payload containing an empty array for a tensor that feeds into a LowerBound or UpperBound op. TensorFlow processes the request, encounters a NULL pointer dereference, and segfaults — crashing the TF Serving process. The attacker repeats this request in a loop (even with a basic script) to maintain denial of service. No authentication, no special tooling, and no ML knowledge required — this is a classic availability attack against an AI-specific software stack.