AI Threat Alert AI Threat Alert

CVE-2022-36000: TensorFlow: null deref crashes MLIR graph conversion

HIGH
Published September 16, 2022
CISO Take

A remotely exploitable null dereference in TensorFlow's MLIR component allows unauthenticated attackers to crash any model serving or training pipeline built on affected TF versions. Patch immediately to TF 2.10.0 / 2.9.1 / 2.8.1 / 2.7.2. If you expose TensorFlow inference endpoints to untrusted inputs — internally or externally — treat this as urgent.

Risk Assessment

CVSS 7.5 High with a trivial exploit profile: network-accessible, no authentication, no user interaction. Impact is purely availability (DoS), not confidentiality or integrity. However, in ML serving contexts, crashing the inference engine can be leveraged to disrupt AI-dependent business workflows or create availability SLA breaches. Risk is elevated for organizations with externally accessible model serving APIs or multi-tenant ML platforms.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 22% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

6 steps

  1. Upgrade TensorFlow to 2.10.0, or cherrypick commit aed36912609fc07229b4d0a7b44f3f48efc00fd0 to 2.9.1/2.8.1/2.7.2.

  2. If upgrade is not immediately possible, restrict model upload/import functionality to authenticated and authorized users only.

  3. Deploy input validation to reject model files with empty function attributes before they reach MLIR processing.

  4. Add health check alerting and auto-restart for TF Serving pods to minimize DoS impact.

  5. Audit all public-facing endpoints that accept model files or graph definitions.

  6. Monitor for repeated crash/restart cycles in TF Serving logs as a detection signal.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system security
NIST AI RMF
GOVERN 1.2 - Accountability for AI risk MANAGE 2.4 - Residual risks are managed

Frequently Asked Questions

What is CVE-2022-36000?

A remotely exploitable null dereference in TensorFlow's MLIR component allows unauthenticated attackers to crash any model serving or training pipeline built on affected TF versions. Patch immediately to TF 2.10.0 / 2.9.1 / 2.8.1 / 2.7.2. If you expose TensorFlow inference endpoints to untrusted inputs — internally or externally — treat this as urgent.

Is CVE-2022-36000 actively exploited?

No confirmed active exploitation of CVE-2022-36000 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36000?

1. Upgrade TensorFlow to 2.10.0, or cherrypick commit aed36912609fc07229b4d0a7b44f3f48efc00fd0 to 2.9.1/2.8.1/2.7.2. 2. If upgrade is not immediately possible, restrict model upload/import functionality to authenticated and authorized users only. 3. Deploy input validation to reject model files with empty function attributes before they reach MLIR processing. 4. Add health check alerting and auto-restart for TF Serving pods to minimize DoS impact. 5. Audit all public-facing endpoints that accept model files or graph definitions. 6. Monitor for repeated crash/restart cycles in TF Serving logs as a detection signal.

What systems are affected by CVE-2022-36000?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps platforms.

What is the CVSS score for CVE-2022-36000?

CVE-2022-36000 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it gives a null dereference. We have patched the issue in GitHub commit aed36912609fc07229b4d0a7b44f3f48efc00fd0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a public TensorFlow Serving REST or gRPC endpoint. They craft a TensorFlow SavedModel or FunctionDef with deliberately empty function attributes and submit it via the model management API or a prediction endpoint that triggers model loading. When TensorFlow processes the graph through MLIR's TFG conversion path, the null dereference fires, crashing the serving process. In Kubernetes environments without proper restart policies, this results in sustained service unavailability. In multi-tenant ML platforms, a malicious tenant could use this to impact other tenants' inference workloads.

Weaknesses (CWE)

CWE-476 Primary CWE-476

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed