CVE-2022-36003: TensorFlow DoS — HIGH

CISO Take

Any TensorFlow inference endpoint serving models that use RandomPoissonV2 (probabilistic sampling, Bayesian nets, VAEs) can be crashed by an unauthenticated attacker with a single malformed request. No workaround exists—patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. Prioritize internet-facing TF Serving deployments above all else.

What is the risk?

High operational risk for organizations exposing TensorFlow inference endpoints. CVSS 7.5 with zero authentication requirement, low attack complexity, and network-accessible attack vector makes this trivially exploitable at scale. Risk is availability-focused rather than confidentiality; a single crafted request can take down an inference service, triggering restart loops in orchestrated environments and prolonged outages.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 30% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

4 steps

Patch immediately: upgrade to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 per your current branch. No workaround exists per the advisory.
Audit exposure: identify models using RandomPoissonV2 ops in your serving fleet (inspect SavedModel signatures or scan model graph artifacts).
Harden serving layer: add input validation to clamp tensor shape dimensions and rate values before ops execute—even post-patch as defense-in-depth.
Monitor: alert on TF Serving process crashes, CHECK assertion failures in logs, or abnormal tensor size in inference request payloads.

How is it classified?

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system robustness and resilience

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain system trustworthiness and resilience

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-36003?

Any TensorFlow inference endpoint serving models that use RandomPoissonV2 (probabilistic sampling, Bayesian nets, VAEs) can be crashed by an unauthenticated attacker with a single malformed request. No workaround exists—patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. Prioritize internet-facing TF Serving deployments above all else.

Is CVE-2022-36003 actively exploited?

No confirmed active exploitation of CVE-2022-36003 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36003?

1. Patch immediately: upgrade to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 per your current branch. No workaround exists per the advisory. 2. Audit exposure: identify models using RandomPoissonV2 ops in your serving fleet (inspect SavedModel signatures or scan model graph artifacts). 3. Harden serving layer: add input validation to clamp tensor shape dimensions and rate values before ops execute—even post-patch as defense-in-depth. 4. Monitor: alert on TF Serving process crashes, CHECK assertion failures in logs, or abnormal tensor size in inference request payloads.

What systems are affected by CVE-2022-36003?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines.

What is the CVSS score for CVE-2022-36003?

CVE-2022-36003 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

model servinginference endpointstraining pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. When `RandomPoissonV2` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An attacker identifies a public TensorFlow Serving endpoint via Shodan or API documentation. They craft an inference request with tensors having extremely large shape dimensions or rate values targeting a model that internally uses RandomPoissonV2 (e.g., a probabilistic forecasting or generative API). The CHECK assertion fires, the serving process crashes, and the endpoint goes offline. With no auth required and trivial payload construction, this can be automated to cause sustained denial of service against AI inference infrastructure.

Weaknesses (CWE)

CWE-617 Reachable Assertion

CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

[Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
[Implementation] Perform input validation on user data.

Source: MITRE CWE corpus.