CVE-2022-36001 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

TensorFlow's DrawBoundingBoxes operation crashes on non-float bounding box input, enabling unauthenticated DoS against any exposed TF Serving or inference endpoint processing computer vision workloads. No workaround exists — patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Assess whether your CV model endpoints validate input dtype before reaching this operation.

Risk Assessment

High exploitability (CVSS 7.5, network vector, no authentication, no user interaction) but impact is confined to availability. Trivially reproducible — any attacker with inference API access can crash the TF process by submitting malformed bounding box data. Risk is highest for publicly exposed object detection or image annotation APIs with no input validation layer. Not in CISA KEV and no known active exploitation in the wild reduces urgency, but the low bar for exploitation warrants prompt patching.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — the only fix.
Add server-side input validation enforcing float32 dtype on boxes tensors before passing to DrawBoundingBoxes.
Implement API-level input schema validation on inference endpoints to reject malformed tensor dtypes at the boundary.
Deploy process supervision (systemd, Kubernetes liveness probes) to auto-restart crashed TF Serving instances while patching is in progress.
Monitor inference endpoint logs for abnormal CHECK failure messages as a detection signal for active exploitation attempts.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0043.003 - Manual Modification AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.2.6 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI system trustworthiness

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-36001?

TensorFlow's DrawBoundingBoxes operation crashes on non-float bounding box input, enabling unauthenticated DoS against any exposed TF Serving or inference endpoint processing computer vision workloads. No workaround exists — patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Assess whether your CV model endpoints validate input dtype before reaching this operation.

Is CVE-2022-36001 actively exploited?

No confirmed active exploitation of CVE-2022-36001 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36001?

1. Upgrade TensorFlow to 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — the only fix. 2. Add server-side input validation enforcing float32 dtype on boxes tensors before passing to DrawBoundingBoxes. 3. Implement API-level input schema validation on inference endpoints to reject malformed tensor dtypes at the boundary. 4. Deploy process supervision (systemd, Kubernetes liveness probes) to auto-restart crashed TF Serving instances while patching is in progress. 5. Monitor inference endpoint logs for abnormal CHECK failure messages as a detection signal for active exploitation attempts.

What systems are affected by CVE-2022-36001?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, computer vision pipelines, training pipelines.

What is the CVSS score for CVE-2022-36001?

CVE-2022-36001 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `DrawBoundingBoxes` receives an input `boxes` that is not of dtype `float`, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit da0d65cdc1270038e72157ba35bf74b85d9bda11. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary with access to a TensorFlow Serving endpoint hosting an object detection model submits an inference request with bounding box coordinates encoded as integer or boolean dtype instead of float32. TensorFlow's internal CHECK assertion triggers immediately, crashing the serving process. Without automatic restart, this produces sustained service outage. No ML expertise required — basic API fuzzing using the public advisory details is sufficient to reproduce. In a multi-tenant model serving environment, one malformed request can take down inference capacity for all tenants sharing the process.