CVE-2022-35968 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Unauthenticated remote attackers can crash TensorFlow inference services by sending malformed input to any model using average pooling—CNNs, image classifiers, ResNets. No credentials or ML expertise required, just a crafted tensor with invalid shape. Patch to TF 2.10.0 (or 2.9.1/2.8.1/2.7.2 for supported branches) immediately and add input shape validation at your API boundary as defense-in-depth.

Risk Assessment

Operationally significant for organizations exposing TensorFlow serving endpoints publicly. CVSS 7.5 accurately reflects the low-barrier network attack with guaranteed availability impact—AV:N/AC:L/PR:N/UI:N leaves no friction for an attacker. No privilege escalation or data exfiltration risk, but repeated triggering of the CHECK failure causes process crashes with no workaround short of patching. Risk is highest for image-processing pipelines and CNN-based inference APIs reachable from untrusted networks.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 21% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.10.0, or cherrypick to 2.9.1/2.8.1/2.7.2 for in-range versions.
Input validation: Enforce strict tensor shape checking at the API boundary before data reaches TF operations—reject requests with shapes inconsistent with your model's expected input.
Process isolation: Run TF Serving in isolated containers with auto-restart policies to minimize downtime from crashes.
Rate limiting: Apply rate limiting and anomaly detection on inference endpoints to slow repeated DoS attempts.
Detection: Alert on unexpected TF process crashes or log lines containing CHECK failure traces from AvgPoolGrad.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.6 - AI System Availability and Resilience

NIST AI RMF

GOVERN 6.1 - Policies and Procedures for AI Risk Governance MANAGE 2.4 - AI Risk Treatment and Response

Frequently Asked Questions

What is CVE-2022-35968?

Unauthenticated remote attackers can crash TensorFlow inference services by sending malformed input to any model using average pooling—CNNs, image classifiers, ResNets. No credentials or ML expertise required, just a crafted tensor with invalid shape. Patch to TF 2.10.0 (or 2.9.1/2.8.1/2.7.2 for supported branches) immediately and add input shape validation at your API boundary as defense-in-depth.

Is CVE-2022-35968 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-35968, increasing the risk of exploitation.

How to fix CVE-2022-35968?

1. Patch: Upgrade to TensorFlow 2.10.0, or cherrypick to 2.9.1/2.8.1/2.7.2 for in-range versions. 2. Input validation: Enforce strict tensor shape checking at the API boundary before data reaches TF operations—reject requests with shapes inconsistent with your model's expected input. 3. Process isolation: Run TF Serving in isolated containers with auto-restart policies to minimize downtime from crashes. 4. Rate limiting: Apply rate limiting and anomaly detection on inference endpoints to slow repeated DoS attempts. 5. Detection: Alert on unexpected TF process crashes or log lines containing CHECK failure traces from AvgPoolGrad.

What systems are affected by CVE-2022-35968?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines.

What is the CVSS score for CVE-2022-35968?

CVE-2022-35968 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. The implementation of `AvgPoolGrad` does not fully validate the input `orig_input_shape`. This results in a `CHECK` failure which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a publicly accessible TensorFlow Serving endpoint through passive reconnaissance or active scanning. Using the model's known architecture or through probing responses, they determine the endpoint uses a CNN with average pooling. They craft an inference request with an invalid orig_input_shape tensor—mismatched dimensions, zero-length axes, or values inconsistent with the preceding pooling layer—that bypasses API-level checks and reaches AvgPoolGrad. The reachable assertion fires, the TF Serving process crashes, and the inference API becomes unavailable. Automated to repeat every few seconds, this produces sustained DoS against the ML inference service with no authentication and negligible cost to the attacker.