AI Threat Alert AI Threat Alert

CVE-2022-36003: TensorFlow: DoS via RandomPoissonV2 large input

HIGH
Published September 16, 2022
CISO Take

Any TensorFlow inference endpoint serving models that use RandomPoissonV2 (probabilistic sampling, Bayesian nets, VAEs) can be crashed by an unauthenticated attacker with a single malformed request. No workaround exists—patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. Prioritize internet-facing TF Serving deployments above all else.

Risk Assessment

High operational risk for organizations exposing TensorFlow inference endpoints. CVSS 7.5 with zero authentication requirement, low attack complexity, and network-accessible attack vector makes this trivially exploitable at scale. Risk is availability-focused rather than confidentiality; a single crafted request can take down an inference service, triggering restart loops in orchestrated environments and prolonged outages.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 20% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

4 steps

  1. Patch immediately: upgrade to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 per your current branch. No workaround exists per the advisory.

  2. Audit exposure: identify models using RandomPoissonV2 ops in your serving fleet (inspect SavedModel signatures or scan model graph artifacts).

  3. Harden serving layer: add input validation to clamp tensor shape dimensions and rate values before ops execute—even post-patch as defense-in-depth.

  4. Monitor: alert on TF Serving process crashes, CHECK assertion failures in logs, or abnormal tensor size in inference request payloads.

Classification

DoS Framework Inference AML.T0029 AML.T0040 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system robustness and resilience
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain system trustworthiness and resilience
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-36003?

Any TensorFlow inference endpoint serving models that use RandomPoissonV2 (probabilistic sampling, Bayesian nets, VAEs) can be crashed by an unauthenticated attacker with a single malformed request. No workaround exists—patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. Prioritize internet-facing TF Serving deployments above all else.

Is CVE-2022-36003 actively exploited?

No confirmed active exploitation of CVE-2022-36003 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36003?

1. Patch immediately: upgrade to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 per your current branch. No workaround exists per the advisory. 2. Audit exposure: identify models using RandomPoissonV2 ops in your serving fleet (inspect SavedModel signatures or scan model graph artifacts). 3. Harden serving layer: add input validation to clamp tensor shape dimensions and rate values before ops execute—even post-patch as defense-in-depth. 4. Monitor: alert on TF Serving process crashes, CHECK assertion failures in logs, or abnormal tensor size in inference request payloads.

What systems are affected by CVE-2022-36003?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines.

What is the CVSS score for CVE-2022-36003?

CVE-2022-36003 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `RandomPoissonV2` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An attacker identifies a public TensorFlow Serving endpoint via Shodan or API documentation. They craft an inference request with tensors having extremely large shape dimensions or rate values targeting a model that internally uses RandomPoissonV2 (e.g., a probabilistic forecasting or generative API). The CHECK assertion fires, the serving process crashes, and the endpoint goes offline. With no auth required and trivial payload construction, this can be automated to cause sustained denial of service against AI inference infrastructure.

Weaknesses (CWE)

CWE-617

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed