CVE-2022-36004 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment invoking tf.random.gamma with externally-controlled input is remotely crashable — no credentials required, no workaround exists. Patch is mandatory: upgrade to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Prioritize internet-facing inference services and training APIs that accept user-defined tensor shapes.

Risk Assessment

High exploitability: network-reachable, zero privileges, low complexity — an attacker just needs to send oversized shape or rate values. Blast radius is availability-only (C:N/I:N/A:H); no data exfiltration or code execution path. Elevated risk for organizations exposing TensorFlow inference endpoints to untrusted input. Not in CISA KEV and no confirmed active exploitation reduces urgency slightly, but the trivial trigger mechanism means any unpatched public endpoint is permanently exposed.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 22% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 (fix cherry-picked to all supported branches via commit 552bfced).
Input validation: Enforce hard upper bounds on shape dimensions and rate parameter values at API boundaries before they reach tf.random.gamma.
Rate limiting: Apply per-client request rate limits on inference endpoints to reduce sustained DoS impact.
Detection: Alert on repeated TensorFlow process crashes or container restarts — a pattern of CHECK failures in logs is a direct indicator of exploitation attempts.
Isolation: Run inference workers in isolated containers with auto-restart policies to minimize service downtime if triggered.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.3 - AI System Operation

NIST AI RMF

MANAGE 2.2 - Risk Response and Remediation

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-36004?

Any TensorFlow deployment invoking tf.random.gamma with externally-controlled input is remotely crashable — no credentials required, no workaround exists. Patch is mandatory: upgrade to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Prioritize internet-facing inference services and training APIs that accept user-defined tensor shapes.

Is CVE-2022-36004 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-36004, increasing the risk of exploitation.

How to fix CVE-2022-36004?

1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 (fix cherry-picked to all supported branches via commit 552bfced). 2. Input validation: Enforce hard upper bounds on shape dimensions and rate parameter values at API boundaries before they reach tf.random.gamma. 3. Rate limiting: Apply per-client request rate limits on inference endpoints to reduce sustained DoS impact. 4. Detection: Alert on repeated TensorFlow process crashes or container restarts — a pattern of CHECK failures in logs is a direct indicator of exploitation attempts. 5. Isolation: Run inference workers in isolated containers with auto-restart policies to minimize service downtime if triggered.

What systems are affected by CVE-2022-36004?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs.

What is the CVSS score for CVE-2022-36004?

CVE-2022-36004 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `tf.random.gamma` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a public ML inference API backed by TensorFlow — for example, a Bayesian recommendation engine or VAE-based anomaly detection service. By sending POST requests with crafted tensors containing extremely large shape values or rate parameters that are passed internally to tf.random.gamma, the adversary triggers a CHECK assertion failure, crashing the TensorFlow serving process. With no workaround available, repeated requests sustain a persistent DoS. The attacker needs no authentication, no ML expertise, and no prior reconnaissance beyond identifying the endpoint — a single malformed request is sufficient to crash the worker.