CVE-2022-35979 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

TensorFlow's QuantizedRelu/QuantizedRelu6 ops crash with nonscalar min/max inputs, enabling unauthenticated network-based DoS with CVSS 7.5. Any TF inference endpoint using quantized models is reachable with zero credentials required. Patch to TF 2.10.0 (or backport releases 2.9.1/2.8.1/2.7.2) immediately and enforce scalar input validation at API boundaries.

Risk Assessment

High risk for organizations exposing TensorFlow inference APIs. CVSS 7.5 reflects a network-accessible, no-auth, no-interaction attack path delivering full availability impact. Quantized models are ubiquitous in production serving for efficiency, making this broadly applicable. No active exploitation recorded and not in CISA KEV, reducing urgency somewhat, but trivial exploit complexity warrants prompt patching of any externally accessible TF serving deployment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.10.0, or apply cherrypick commit 49b3824d83af to 2.9.1, 2.8.1, or 2.7.2.
Input validation: Enforce scalar shape constraints on min_features/max_features at API gateway level before reaching TF ops.
Isolation: Run TF Serving in isolated containers with process supervision and auto-restart to limit blast radius.
Network controls: Restrict inference endpoint access to authorized clients; implement rate limiting to slow crash-loop abuse.
Detection: Alert on segfault-triggered crashes in TF serving processes as a potential exploitation indicator.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - Information security for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to and recover from AI risk

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-35979?

TensorFlow's QuantizedRelu/QuantizedRelu6 ops crash with nonscalar min/max inputs, enabling unauthenticated network-based DoS with CVSS 7.5. Any TF inference endpoint using quantized models is reachable with zero credentials required. Patch to TF 2.10.0 (or backport releases 2.9.1/2.8.1/2.7.2) immediately and enforce scalar input validation at API boundaries.

Is CVE-2022-35979 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-35979, increasing the risk of exploitation.

How to fix CVE-2022-35979?

1. Patch: Upgrade to TensorFlow 2.10.0, or apply cherrypick commit 49b3824d83af to 2.9.1, 2.8.1, or 2.7.2. 2. Input validation: Enforce scalar shape constraints on min_features/max_features at API gateway level before reaching TF ops. 3. Isolation: Run TF Serving in isolated containers with process supervision and auto-restart to limit blast radius. 4. Network controls: Restrict inference endpoint access to authorized clients; implement rate limiting to slow crash-loop abuse. 5. Detection: Alert on segfault-triggered crashes in TF serving processes as a potential exploitation indicator.

What systems are affected by CVE-2022-35979?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines, edge deployment.

What is the CVSS score for CVE-2022-35979?

CVE-2022-35979 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. If `QuantizedRelu` or `QuantizedRelu6` are given nonscalar inputs for `min_features` or `max_features`, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 49b3824d83af706df0ad07e4e677d88659756d89. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a publicly accessible TensorFlow Serving endpoint hosting a quantized model. Without credentials, the adversary crafts an inference request passing a nonscalar tensor (e.g., a 2D array) as the min_features or max_features parameter to a QuantizedRelu layer. TensorFlow fails to validate input shape (CWE-20), triggering a segmentation fault that crashes the serving process. The adversary repeats requests at intervals to sustain a denial-of-service condition against the AI inference infrastructure, effectively taking the AI-dependent application offline.