CVE-2022-35995 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

A reachable assertion in TensorFlow's AudioSummaryV2 op allows any unauthenticated network attacker to crash TF processes by sending a malformed sample_rate tensor — no exploit sophistication required. If your ML infrastructure exposes TensorFlow model serving or training APIs to untrusted inputs, this is a remote availability risk. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; no workaround exists per the advisory.

Risk Assessment

CVSS 7.5 (High) with network-accessible, zero-authentication, zero-interaction exploitation makes this trivially weaponizable. Real-world risk is moderate: AudioSummaryV2 is primarily a TensorBoard/debugging op, rarely exposed in production inference endpoints. However, organizations running TF Serving with broad op allowlists, or accepting external model inputs during training, face genuine crash-loop DoS risk. Not in CISA KEV and no public exploitation observed, but the low attack complexity warrants prompt patching over the next maintenance cycle.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

Patch to TensorFlow 2.10.0 (commit bf6b45244992e2ee543c258e519489659c99fb7f), or cherrypick to 2.9.1 / 2.8.1 / 2.7.2 for supported branches.
No workaround is available — patching is the only fix.
As defense-in-depth: restrict TF Serving op allowlists to exclude AudioSummaryV2 if not needed in production.
Enforce input validation at API boundaries to reject multi-element sample_rate tensors before they reach the op.
Deploy process supervisors (systemd, Kubernetes restartPolicy) to auto-recover crashed TF workers, limiting DoS window.
Monitor for repeated process crashes in TF serving infrastructure as a detection signal.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment — availability and robustness

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management across the lifecycle MANAGE 2.2 - Mechanisms for responding to and recovering from AI risks

Frequently Asked Questions

What is CVE-2022-35995?

A reachable assertion in TensorFlow's AudioSummaryV2 op allows any unauthenticated network attacker to crash TF processes by sending a malformed sample_rate tensor — no exploit sophistication required. If your ML infrastructure exposes TensorFlow model serving or training APIs to untrusted inputs, this is a remote availability risk. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; no workaround exists per the advisory.

Is CVE-2022-35995 actively exploited?

No confirmed active exploitation of CVE-2022-35995 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-35995?

1. Patch to TensorFlow 2.10.0 (commit bf6b45244992e2ee543c258e519489659c99fb7f), or cherrypick to 2.9.1 / 2.8.1 / 2.7.2 for supported branches. 2. No workaround is available — patching is the only fix. 3. As defense-in-depth: restrict TF Serving op allowlists to exclude AudioSummaryV2 if not needed in production. 4. Enforce input validation at API boundaries to reject multi-element sample_rate tensors before they reach the op. 5. Deploy process supervisors (systemd, Kubernetes restartPolicy) to auto-recover crashed TF workers, limiting DoS window. 6. Monitor for repeated process crashes in TF serving infrastructure as a detection signal.

What systems are affected by CVE-2022-35995?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving.

What is the CVSS score for CVE-2022-35995?

CVE-2022-35995 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `AudioSummaryV2` receives an input `sample_rate` with more than one element, it gives a `CHECK` fails that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit bf6b45244992e2ee543c258e519489659c99fb7f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a TF Serving endpoint or training API accepting audio-related model inputs. They craft a TensorFlow SavedModel or direct API call that invokes AudioSummaryV2 with a sample_rate tensor shaped [2] or larger instead of the expected scalar [1]. When the op executes, the internal CHECK assertion fires and the TF process aborts. On a Kubernetes cluster, this triggers pod restart loops; on bare-metal TF Serving, the service becomes unavailable until manual intervention. A persistent attacker can replay the malformed request faster than restarts complete, sustaining a DoS indefinitely with minimal resources.