AI Threat Alert

CVE-2022-36000: TensorFlow: null deref crashes MLIR graph conversion

HIGH
Published September 16, 2022
CISO Take

A remotely exploitable null dereference in TensorFlow's MLIR component allows unauthenticated attackers to crash any model serving or training pipeline built on affected TF versions. Patch immediately to TF 2.10.0 / 2.9.1 / 2.8.1 / 2.7.2. If you expose TensorFlow inference endpoints to untrusted inputs — internally or externally — treat this as urgent.

What is the risk?

CVSS 7.5 High with a trivial exploit profile: network-accessible, no authentication, no user interaction. Impact is purely availability (DoS), not confidentiality or integrity. However, in ML serving contexts, crashing the inference engine can be leveraged to disrupt AI-dependent business workflows or create availability SLA breaches. Risk is elevated for organizations with externally accessible model serving APIs or multi-tenant ML platforms.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 30% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

6 steps

  1. Upgrade TensorFlow to 2.10.0, or cherrypick commit aed36912609fc07229b4d0a7b44f3f48efc00fd0 to 2.9.1/2.8.1/2.7.2.

  2. If upgrade is not immediately possible, restrict model upload/import functionality to authenticated and authorized users only.

  3. Deploy input validation to reject model files with empty function attributes before they reach MLIR processing.

  4. Add health check alerting and auto-restart for TF Serving pods to minimize DoS impact.

  5. Audit all public-facing endpoints that accept model files or graph definitions.

  6. Monitor for repeated crash/restart cycles in TF Serving logs as a detection signal.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system security
NIST AI RMF
GOVERN 1.2 - Accountability for AI risk MANAGE 2.4 - Residual risks are managed

Frequently Asked Questions

What is CVE-2022-36000?

A remotely exploitable null dereference in TensorFlow's MLIR component allows unauthenticated attackers to crash any model serving or training pipeline built on affected TF versions. Patch immediately to TF 2.10.0 / 2.9.1 / 2.8.1 / 2.7.2. If you expose TensorFlow inference endpoints to untrusted inputs — internally or externally — treat this as urgent.

Is CVE-2022-36000 actively exploited?

No confirmed active exploitation of CVE-2022-36000 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36000?

1. Upgrade TensorFlow to 2.10.0, or cherrypick commit aed36912609fc07229b4d0a7b44f3f48efc00fd0 to 2.9.1/2.8.1/2.7.2. 2. If upgrade is not immediately possible, restrict model upload/import functionality to authenticated and authorized users only. 3. Deploy input validation to reject model files with empty function attributes before they reach MLIR processing. 4. Add health check alerting and auto-restart for TF Serving pods to minimize DoS impact. 5. Audit all public-facing endpoints that accept model files or graph definitions. 6. Monitor for repeated crash/restart cycles in TF Serving logs as a detection signal.

What systems are affected by CVE-2022-36000?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps platforms.

What is the CVSS score for CVE-2022-36000?

CVE-2022-36000 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesMLOps platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN 1.2, MANAGE 2.4

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it gives a null dereference. We have patched the issue in GitHub commit aed36912609fc07229b4d0a7b44f3f48efc00fd0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a public TensorFlow Serving REST or gRPC endpoint. They craft a TensorFlow SavedModel or FunctionDef with deliberately empty function attributes and submit it via the model management API or a prediction endpoint that triggers model loading. When TensorFlow processes the graph through MLIR's TFG conversion path, the null dereference fires, crashing the serving process. In Kubernetes environments without proper restart policies, this results in sustained service unavailability. In multi-tenant ML platforms, a malicious tenant could use this to impact other tenants' inference workloads.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference Primary CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed