CVE-2022-35989 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment accepting externally-influenced inputs to GPU-accelerated MaxPool operations is vulnerable to remote service crash. Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately — no workaround exists. Prioritize inference-serving infrastructure exposed to untrusted inputs.

Risk Assessment

CVSS 7.5 High with AV:N/AC:L/PR:N/UI:N makes this exploitable by unauthenticated attackers over the network with no user interaction. Exploitability is straightforward: crafting an oversized ksize array is trivial. Impact is limited to availability (no C/I impact), but in production ML inference services this translates to complete service disruption. Real-world exposure depends on whether ksize parameters are user-controlled; direct TF Serving deployments without input sanitization are most at risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.10.0, or apply cherrypicks to 2.9.1 / 2.8.1 / 2.7.2 (commit 32d7bd3defd134f21a4e344c8dfd40099aaf6b18).
VALIDATE INPUTS

Enforce server-side validation that ksize dimensions do not exceed input tensor dimensions before GPU execution.
NETWORK CONTROLS

Restrict TF Serving endpoints to authenticated clients; reject malformed requests at the API gateway layer.
DETECT

Monitor for abnormal GPU process crashes or serving pod restarts — repeated crashes targeting MaxPool ops may indicate active exploitation.
INVENTORY

Audit all TF versions in use via SBOM or container image scanning; flag any 2.7.x–2.9.x deployments without the patch.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

6.1.2 - AI Risk Assessment 9.1 - Monitoring, Measurement, Analysis and Evaluation

NIST AI RMF

GOVERN-6.1 - Policies for AI Risk MANAGE-2.4 - Residual Risk Treatment

Frequently Asked Questions

What is CVE-2022-35989?

Any TensorFlow deployment accepting externally-influenced inputs to GPU-accelerated MaxPool operations is vulnerable to remote service crash. Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately — no workaround exists. Prioritize inference-serving infrastructure exposed to untrusted inputs.

Is CVE-2022-35989 actively exploited?

No confirmed active exploitation of CVE-2022-35989 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-35989?

1. PATCH: Upgrade to TensorFlow 2.10.0, or apply cherrypicks to 2.9.1 / 2.8.1 / 2.7.2 (commit 32d7bd3defd134f21a4e344c8dfd40099aaf6b18). 2. VALIDATE INPUTS: Enforce server-side validation that ksize dimensions do not exceed input tensor dimensions before GPU execution. 3. NETWORK CONTROLS: Restrict TF Serving endpoints to authenticated clients; reject malformed requests at the API gateway layer. 4. DETECT: Monitor for abnormal GPU process crashes or serving pod restarts — repeated crashes targeting MaxPool ops may indicate active exploitation. 5. INVENTORY: Audit all TF versions in use via SBOM or container image scanning; flag any 2.7.x–2.9.x deployments without the patch.

What systems are affected by CVE-2022-35989?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference.

What is the CVSS score for CVE-2022-35989?

CVE-2022-35989 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `MaxPool` receives a window size input array `ksize` with dimensions greater than its input tensor `input`, the GPU kernel gives a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 32d7bd3defd134f21a4e344c8dfd40099aaf6b18. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a TensorFlow Serving endpoint (or custom inference API) processing CNN-based models with MaxPool layers on GPU. They submit an inference request crafting the ksize window size parameter to exceed the spatial dimensions of the input tensor. The GPU kernel hits a CHECK assertion failure and crashes the serving process. In Kubernetes environments this triggers a pod restart, creating a brief outage window. Repeated requests maintain a sustained DoS, degrading SLA for downstream applications. In shared ML platforms, this could be used to disrupt competing tenants or mask other malicious activity during the outage window.