CVE-2022-35992 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

A remotely exploitable denial-of-service vulnerability in TensorFlow allows any unauthenticated attacker to crash inference services by sending a tensor with a multi-rank element_shape to TensorListFromTensor. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — no workaround exists. Public-facing TensorFlow Serving endpoints are the highest-priority remediation target.

Risk Assessment

High operational risk for organizations exposing TensorFlow-based inference APIs to untrusted input. CVSS 7.5 with network-accessible, zero-authentication, zero-interaction exploit makes this trivially weaponizable for service disruption. Blast radius is limited to availability — no data exfiltration or code execution — but in production ML serving environments, availability IS the business. Not in CISA KEV and no confirmed in-the-wild exploitation as of publication, reducing urgency slightly, but the exploit primitive is simple enough to appear in automated scanning tools.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 (cherry-picked fix in all supported branches). Commit 3db59a042a38f4338aa207922fa2f476e000a6ee.
VALIDATE INPUTS

Add server-side shape validation rejecting element_shape tensors with rank > 1 at the API gateway or gRPC interceptor layer before they reach TF ops.
RATE LIMIT

Apply per-client request rate limiting on inference endpoints to limit crash-loop impact if patching is delayed.
MONITOR

Alert on sudden TF Serving process restarts or inference endpoint health check failures — these may indicate active exploitation attempts.
ISOLATE

Run TensorFlow Serving in containers with auto-restart policies and resource limits to minimize blast radius per pod.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 17 - Quality management system Article 9 - Risk management system

ISO 42001

A.6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain safe and effective operation

Frequently Asked Questions

What is CVE-2022-35992?

A remotely exploitable denial-of-service vulnerability in TensorFlow allows any unauthenticated attacker to crash inference services by sending a tensor with a multi-rank element_shape to TensorListFromTensor. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — no workaround exists. Public-facing TensorFlow Serving endpoints are the highest-priority remediation target.

Is CVE-2022-35992 actively exploited?

No confirmed active exploitation of CVE-2022-35992 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-35992?

1. PATCH: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 (cherry-picked fix in all supported branches). Commit 3db59a042a38f4338aa207922fa2f476e000a6ee. 2. VALIDATE INPUTS: Add server-side shape validation rejecting element_shape tensors with rank > 1 at the API gateway or gRPC interceptor layer before they reach TF ops. 3. RATE LIMIT: Apply per-client request rate limiting on inference endpoints to limit crash-loop impact if patching is delayed. 4. MONITOR: Alert on sudden TF Serving process restarts or inference endpoint health check failures — these may indicate active exploitation attempts. 5. ISOLATE: Run TensorFlow Serving in containers with auto-restart policies and resource limits to minimize blast radius per pod.

What systems are affected by CVE-2022-35992?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, batch inference.

What is the CVSS score for CVE-2022-35992?

CVE-2022-35992 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `TensorListFromTensor` receives an `element_shape` of a rank greater than one, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 3db59a042a38f4338aa207922fa2f476e000a6ee. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

Attacker identifies a public or partner-facing TensorFlow Serving gRPC/REST endpoint. They craft a PredictRequest containing a TensorListFromTensor call with an element_shape tensor of rank 2 or higher (e.g., shape [2,2] instead of scalar or rank-1). The malformed input triggers the internal CHECK assertion in the TF runtime, immediately crashing the serving process. In Kubernetes deployments without proper liveness/readiness probes, the pod may be restarted but an attacker flooding the endpoint can maintain persistent outage. No authentication, no ML knowledge, and no exploit tooling required — a single malformed gRPC call suffices.