CVE-2022-35994 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Unauthenticated remote attackers can crash TensorFlow serving instances by sending a scalar tensor to the CollectiveGather operation, triggering a reachable CHECK assertion failure and full process termination. Any TensorFlow endpoint on versions before 2.10.0 exposed to untrusted networks is at risk. Patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 in the next maintenance window; if patching is delayed, immediately restrict network access to TensorFlow serving ports.

Risk Assessment

High exploitability — network-accessible, zero-auth, low-complexity attack requiring only a malformed tensor shape. Impact is limited to availability with no confidentiality or integrity exposure. Risk is highest for organizations running TensorFlow Serving or distributed training clusters reachable from untrusted networks, and for multi-tenant ML platforms where a single tenant could DoS shared infrastructure. Absence from CISA KEV and no known active exploitation supports prioritizing this in the next patching cycle rather than emergency response.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.10.0, or apply the backport commit c1f491817dec39a26be3c574e86a88c30f3c4770 to 2.9.1, 2.8.1, or 2.7.2.
NETWORK CONTROLS

Restrict TensorFlow gRPC (port 8500) and REST (port 8501) serving endpoints to trusted IP ranges; never expose raw TF serving to the public internet.
INPUT VALIDATION

Enforce tensor shape constraints at the API gateway layer before requests reach TF ops — reject scalar inputs where non-scalar is expected.
DETECTION

Alert on unexpected TensorFlow serving process restarts and monitor logs for CHECK assertion failure patterns.
RESILIENCE

Ensure TF serving runs under a supervisor (Kubernetes deployment, systemd with Restart=always) to minimize downtime impact from crashes.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system operational and performance management

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks MAP 5.1 - Likelihood and magnitude of risks from AI systems

Frequently Asked Questions

What is CVE-2022-35994?

Unauthenticated remote attackers can crash TensorFlow serving instances by sending a scalar tensor to the CollectiveGather operation, triggering a reachable CHECK assertion failure and full process termination. Any TensorFlow endpoint on versions before 2.10.0 exposed to untrusted networks is at risk. Patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 in the next maintenance window; if patching is delayed, immediately restrict network access to TensorFlow serving ports.

Is CVE-2022-35994 actively exploited?

No confirmed active exploitation of CVE-2022-35994 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-35994?

1. PATCH: Upgrade to TensorFlow 2.10.0, or apply the backport commit c1f491817dec39a26be3c574e86a88c30f3c4770 to 2.9.1, 2.8.1, or 2.7.2. 2. NETWORK CONTROLS: Restrict TensorFlow gRPC (port 8500) and REST (port 8501) serving endpoints to trusted IP ranges; never expose raw TF serving to the public internet. 3. INPUT VALIDATION: Enforce tensor shape constraints at the API gateway layer before requests reach TF ops — reject scalar inputs where non-scalar is expected. 4. DETECTION: Alert on unexpected TensorFlow serving process restarts and monitor logs for CHECK assertion failure patterns. 5. RESILIENCE: Ensure TF serving runs under a supervisor (Kubernetes deployment, systemd with Restart=always) to minimize downtime impact from crashes.

What systems are affected by CVE-2022-35994?

This vulnerability affects the following AI/ML architecture patterns: model serving, distributed training, training pipelines.

What is the CVSS score for CVE-2022-35994?

CVE-2022-35994 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `CollectiveGather` receives an scalar input `input`, it gives a `CHECK` fails that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit c1f491817dec39a26be3c574e86a88c30f3c4770. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary with network access to a TensorFlow Serving endpoint — whether a misconfigured cloud instance or an internal ML platform — sends a crafted prediction request containing a scalar (0-dimensional) tensor to a model that internally invokes CollectiveGather. The operation's CHECK assertion fires immediately, terminating the serving process. The attacker replays the request after each automatic restart, sustaining continuous service unavailability with minimal effort. In a multi-tenant ML-as-a-service platform, a malicious subscriber could use this to deny service to other platform users or trigger cascading failures in dependent inference pipelines.