CVE-2022-35997 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow serving endpoint that accepts user-controlled inputs flowing into tf.sparse.cross can be remotely crashed with a single malformed request — no authentication required. Patch to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately; no workaround exists. Availability risk is real for recommendation and NLP serving infrastructure using sparse feature ops.

Risk Assessment

High severity (CVSS 7.5) with trivial exploitability: network-accessible, zero privileges, zero user interaction. Impact is limited to availability (no data exfiltration or code execution), but the attack surface is broad — any TF model serving layer that exposes sparse tensor operations to external input qualifies. Production ML inference APIs are the primary exposure vector. EPSS data unavailable, but the CHECK-fail pattern in TensorFlow has historically been trivial to trigger once the target op is identified.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow >= 2.10.0, or cherry-pick commit 83dcb4dbfa094e33db084e97c4d0531a559e0ebf for TF 2.7.2/2.8.1/2.9.1. No in-place workaround exists per the advisory.
VALIDATE INPUTS

Add input validation at the API gateway or serving layer to enforce scalar type for any separator parameters before they reach model ops.
ISOLATE

Run TF Serving in containers with restart policies so that a crash does not constitute extended downtime.
DETECT

Log and alert on unexpected process crashes or OOM/signal exits in TF Serving pods — these can indicate crash-loop exploitation attempts.
INVENTORY

Audit all internal models using tf.sparse.cross via grep -r 'sparse.cross' in model code and SavedModel signatures.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - Availability of AI system resources

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain and monitor AI risk management

OWASP LLM Top 10

LLM10 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2022-35997?

Any TensorFlow serving endpoint that accepts user-controlled inputs flowing into tf.sparse.cross can be remotely crashed with a single malformed request — no authentication required. Patch to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately; no workaround exists. Availability risk is real for recommendation and NLP serving infrastructure using sparse feature ops.

Is CVE-2022-35997 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-35997, increasing the risk of exploitation.

How to fix CVE-2022-35997?

1. PATCH: Upgrade to TensorFlow >= 2.10.0, or cherry-pick commit 83dcb4dbfa094e33db084e97c4d0531a559e0ebf for TF 2.7.2/2.8.1/2.9.1. No in-place workaround exists per the advisory. 2. VALIDATE INPUTS: Add input validation at the API gateway or serving layer to enforce scalar type for any separator parameters before they reach model ops. 3. ISOLATE: Run TF Serving in containers with restart policies so that a crash does not constitute extended downtime. 4. DETECT: Log and alert on unexpected process crashes or OOM/signal exits in TF Serving pods — these can indicate crash-loop exploitation attempts. 5. INVENTORY: Audit all internal models using tf.sparse.cross via `grep -r 'sparse.cross'` in model code and SavedModel signatures.

What systems are affected by CVE-2022-35997?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, feature engineering pipelines, training pipelines.

What is the CVSS score for CVE-2022-35997?

CVE-2022-35997 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. If `tf.sparse.cross` receives an input `separator` that is not a scalar, it gives a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 83dcb4dbfa094e33db084e97c4d0531a559e0ebf. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary probing a recommendation API powered by a wide-and-deep TensorFlow model sends a crafted inference request where the separator field in a sparse.cross operation is passed as a 1-D tensor instead of a scalar string. TensorFlow's internal CHECK macro fires immediately, raising a C++ assertion failure that terminates the serving process. If the attacker scripts this in a loop, they can keep the serving pod in a crash loop, effectively denying service to legitimate users. No special ML knowledge is needed — the attacker only needs to know the input schema of the endpoint, discoverable via error messages or API documentation.