AI Threat Alert
CVE-2022-36001: TensorFlow: DoS via type confusion in DrawBoundingBoxes
HIGHTensorFlow's DrawBoundingBoxes operation crashes on non-float bounding box input, enabling unauthenticated DoS against any exposed TF Serving or inference endpoint processing computer vision workloads. No workaround exists — patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Assess whether your CV model endpoints validate input dtype before reaching this operation.
What is the risk?
High exploitability (CVSS 7.5, network vector, no authentication, no user interaction) but impact is confined to availability. Trivially reproducible — any attacker with inference API access can crash the TF process by submitting malformed bounding box data. Risk is highest for publicly exposed object detection or image annotation APIs with no input validation layer. Not in CISA KEV and no known active exploitation in the wild reduces urgency, but the low bar for exploitation warrants prompt patching.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Upgrade TensorFlow to 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — the only fix.
-
Add server-side input validation enforcing float32 dtype on boxes tensors before passing to DrawBoundingBoxes.
-
Implement API-level input schema validation on inference endpoints to reject malformed tensor dtypes at the boundary.
-
Deploy process supervision (systemd, Kubernetes liveness probes) to auto-restart crashed TF Serving instances while patching is in progress.
-
Monitor inference endpoint logs for abnormal CHECK failure messages as a detection signal for active exploitation attempts.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2022-36001?
TensorFlow's DrawBoundingBoxes operation crashes on non-float bounding box input, enabling unauthenticated DoS against any exposed TF Serving or inference endpoint processing computer vision workloads. No workaround exists — patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Assess whether your CV model endpoints validate input dtype before reaching this operation.
Is CVE-2022-36001 actively exploited?
No confirmed active exploitation of CVE-2022-36001 has been reported, but organizations should still patch proactively.
How to fix CVE-2022-36001?
1. Upgrade TensorFlow to 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — the only fix. 2. Add server-side input validation enforcing float32 dtype on boxes tensors before passing to DrawBoundingBoxes. 3. Implement API-level input schema validation on inference endpoints to reject malformed tensor dtypes at the boundary. 4. Deploy process supervision (systemd, Kubernetes liveness probes) to auto-restart crashed TF Serving instances while patching is in progress. 5. Monitor inference endpoint logs for abnormal CHECK failure messages as a detection signal for active exploitation attempts.
What systems are affected by CVE-2022-36001?
This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, computer vision pipelines, training pipelines.
What is the CVSS score for CVE-2022-36001?
CVE-2022-36001 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.38%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0043.003 Manual Modification AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
TensorFlow is an open source platform for machine learning. When `DrawBoundingBoxes` receives an input `boxes` that is not of dtype `float`, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit da0d65cdc1270038e72157ba35bf74b85d9bda11. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Exploitation Scenario
An adversary with access to a TensorFlow Serving endpoint hosting an object detection model submits an inference request with bounding box coordinates encoded as integer or boolean dtype instead of float32. TensorFlow's internal CHECK assertion triggers immediately, crashing the serving process. Without automatic restart, this produces sustained service outage. No ML expertise required — basic API fuzzing using the public advisory details is sufficient to reproduce. In a multi-tenant model serving environment, one malformed request can take down inference capacity for all tenants sharing the process.
Weaknesses (CWE)
CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
- [Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
- [Implementation] Perform input validation on user data.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow