AI Threat Alert AI Threat Alert

CVE-2022-35996: TensorFlow: Conv2D DoS via empty input tensor

HIGH
Published September 16, 2022
CISO Take

Any TensorFlow inference endpoint accepting external inputs is vulnerable to a trivial crash via crafted empty tensors — no auth required, network-exploitable. Patch to TF 2.10.0 / 2.9.1 / 2.8.1 / 2.7.2 immediately if you expose image/vision model APIs. Add input shape validation as a compensating control until patching is complete.

Risk Assessment

CVSS 7.5 High with network attack vector, low complexity, no privileges, no user interaction — this is a reliable, scriptable DoS. Impact is limited to availability (no data exfiltration or code execution), but public-facing ML inference APIs running convolutional models are directly and trivially exploitable. Risk is elevated for organizations using TensorFlow Serving or custom Flask/FastAPI inference wrappers without input sanitization.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 20% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — fix is commit 611d80db29dd7b0cfb755772c69d60ae5bca05f9.

  2. Input validation: Reject tensors with zero-dimension shapes at the API gateway layer before they reach the model.

  3. Process isolation: Run inference workers in isolated containers/processes so a crash does not cascade.

  4. Rate limiting: Apply per-client rate limits on inference endpoints to raise the cost of sustained DoS attempts.

  5. Detection: Alert on spikes in inference exceptions or sudden process restarts in model serving infrastructure.

Classification

DoS Framework Inference AML.T0029 AML.T0034 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring
NIST AI RMF
GOVERN-1.7 - Processes for AI risk identification and prioritization MANAGE-2.2 - Mechanisms to address residual risks

Frequently Asked Questions

What is CVE-2022-35996?

Any TensorFlow inference endpoint accepting external inputs is vulnerable to a trivial crash via crafted empty tensors — no auth required, network-exploitable. Patch to TF 2.10.0 / 2.9.1 / 2.8.1 / 2.7.2 immediately if you expose image/vision model APIs. Add input shape validation as a compensating control until patching is complete.

Is CVE-2022-35996 actively exploited?

No confirmed active exploitation of CVE-2022-35996 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-35996?

1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — fix is commit 611d80db29dd7b0cfb755772c69d60ae5bca05f9. 2. Input validation: Reject tensors with zero-dimension shapes at the API gateway layer before they reach the model. 3. Process isolation: Run inference workers in isolated containers/processes so a crash does not cascade. 4. Rate limiting: Apply per-client rate limits on inference endpoints to raise the cost of sustained DoS attempts. 5. Detection: Alert on spikes in inference exceptions or sudden process restarts in model serving infrastructure.

What systems are affected by CVE-2022-35996?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, CNN-based image models, training pipelines, batch inference jobs.

What is the CVSS score for CVE-2022-35996?

CVE-2022-35996 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. If `Conv2D` is given empty `input` and the `filter` and `padding` sizes are valid, the output is all-zeros. This causes division-by-zero floating point exceptions that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 611d80db29dd7b0cfb755772c69d60ae5bca05f9. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a public-facing image classification API (e.g., product photo tagger, ID document scanner) built on TensorFlow. They craft an HTTP POST request with an empty input tensor (shape [0, H, W, C]) that passes basic schema validation but reaches the Conv2D layer. The divide-by-zero exception crashes the inference worker. The adversary repeats this in a loop — no credentials, no rate limit bypass needed — keeping the service in a crash-restart cycle and achieving sustained denial of service against the ML-powered product feature.

Weaknesses (CWE)

CWE-369

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed