AI Threat Alert
CVE-2022-36002: TensorFlow: DoS via Unbatch assertion failure
HIGHA network-accessible denial-of-service in TensorFlow's Unbatch op allows any unauthenticated attacker to crash ML serving infrastructure by sending a nonscalar input ID. If your inference endpoints accept external inputs and run TF < 2.10.0, this is a direct availability risk. Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately — no workaround exists.
What is the risk?
High availability risk for exposed TensorFlow inference endpoints. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N means trivial remote exploitation requiring zero authentication or user interaction. Not in CISA KEV and no public exploit confirmed, but the attack primitive (malformed input to crash a service) is within reach of any attacker who can reach the endpoint. Risk amplifies in multi-tenant ML platforms or APIs serving external customers.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — apply commit 4419d10d576adefa36b0e0a9425d2569f7c0189f.
-
No workaround exists per the advisory.
-
Interim hardening: add input validation at the API layer to reject nonscalar batch IDs before they reach TF ops.
-
Detection: monitor TF Serving process restarts and HTTP 503 spikes as DoS indicators.
-
Network controls: restrict TensorFlow Serving ports to internal networks only; avoid direct public exposure of TF inference endpoints.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2022-36002?
A network-accessible denial-of-service in TensorFlow's Unbatch op allows any unauthenticated attacker to crash ML serving infrastructure by sending a nonscalar input ID. If your inference endpoints accept external inputs and run TF < 2.10.0, this is a direct availability risk. Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately — no workaround exists.
Is CVE-2022-36002 actively exploited?
No confirmed active exploitation of CVE-2022-36002 has been reported, but organizations should still patch proactively.
How to fix CVE-2022-36002?
1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — apply commit 4419d10d576adefa36b0e0a9425d2569f7c0189f. 2. No workaround exists per the advisory. 3. Interim hardening: add input validation at the API layer to reject nonscalar batch IDs before they reach TF ops. 4. Detection: monitor TF Serving process restarts and HTTP 503 spikes as DoS indicators. 5. Network controls: restrict TensorFlow Serving ports to internal networks only; avoid direct public exposure of TF inference endpoints.
What systems are affected by CVE-2022-36002?
This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines, batch processing systems.
What is the CVSS score for CVE-2022-36002?
CVE-2022-36002 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.38%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0034 Cost Harvesting AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
TensorFlow is an open source platform for machine learning. When `Unbatch` receives a nonscalar input `id`, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 4419d10d576adefa36b0e0a9425d2569f7c0189f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Exploitation Scenario
An attacker identifies a public-facing model serving API backed by TensorFlow that uses the Unbatch operation (common in sequence-to-batch and batch-to-sequence pipelines). By crafting a REST or gRPC request with a nonscalar tensor as the batch ID field, the attacker triggers a CHECK assertion failure inside the TF runtime. The process terminates immediately. In a Kubernetes deployment, the pod restarts but the attacker repeats the request in a loop, maintaining a persistent DoS against the inference endpoint. No ML expertise required — the attacker needs only to know TensorFlow is in use and the endpoint accepts batched inputs.
Weaknesses (CWE)
CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
- [Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
- [Implementation] Perform input validation on user data.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow