AI Threat Alert
CVE-2022-36004: TensorFlow: DoS via tf.random.gamma CHECK assertion
HIGH PoC AVAILABLEAny TensorFlow deployment invoking tf.random.gamma with externally-controlled input is remotely crashable — no credentials required, no workaround exists. Patch is mandatory: upgrade to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Prioritize internet-facing inference services and training APIs that accept user-defined tensor shapes.
What is the risk?
High exploitability: network-reachable, zero privileges, low complexity — an attacker just needs to send oversized shape or rate values. Blast radius is availability-only (C:N/I:N/A:H); no data exfiltration or code execution path. Elevated risk for organizations exposing TensorFlow inference endpoints to untrusted input. Not in CISA KEV and no confirmed active exploitation reduces urgency slightly, but the trivial trigger mechanism means any unpatched public endpoint is permanently exposed.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 (fix cherry-picked to all supported branches via commit 552bfced).
-
Input validation: Enforce hard upper bounds on shape dimensions and rate parameter values at API boundaries before they reach tf.random.gamma.
-
Rate limiting: Apply per-client request rate limits on inference endpoints to reduce sustained DoS impact.
-
Detection: Alert on repeated TensorFlow process crashes or container restarts — a pattern of CHECK failures in logs is a direct indicator of exploitation attempts.
-
Isolation: Run inference workers in isolated containers with auto-restart policies to minimize service downtime if triggered.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2022-36004?
Any TensorFlow deployment invoking tf.random.gamma with externally-controlled input is remotely crashable — no credentials required, no workaround exists. Patch is mandatory: upgrade to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Prioritize internet-facing inference services and training APIs that accept user-defined tensor shapes.
Is CVE-2022-36004 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2022-36004, increasing the risk of exploitation.
How to fix CVE-2022-36004?
1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 (fix cherry-picked to all supported branches via commit 552bfced). 2. Input validation: Enforce hard upper bounds on shape dimensions and rate parameter values at API boundaries before they reach tf.random.gamma. 3. Rate limiting: Apply per-client request rate limits on inference endpoints to reduce sustained DoS impact. 4. Detection: Alert on repeated TensorFlow process crashes or container restarts — a pattern of CHECK failures in logs is a direct indicator of exploitation attempts. 5. Isolation: Run inference workers in isolated containers with auto-restart policies to minimize service downtime if triggered.
What systems are affected by CVE-2022-36004?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs.
What is the CVSS score for CVE-2022-36004?
CVE-2022-36004 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.39%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0043 Craft Adversarial Data AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
TensorFlow is an open source platform for machine learning. When `tf.random.gamma` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Exploitation Scenario
An adversary identifies a public ML inference API backed by TensorFlow — for example, a Bayesian recommendation engine or VAE-based anomaly detection service. By sending POST requests with crafted tensors containing extremely large shape values or rate parameters that are passed internally to tf.random.gamma, the adversary triggers a CHECK assertion failure, crashing the TensorFlow serving process. With no workaround available, repeated requests sustain a persistent DoS. The attacker needs no authentication, no ML expertise, and no prior reconnaissance beyond identifying the endpoint — a single malformed request is sufficient to crash the worker.
Weaknesses (CWE)
CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
- [Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
- [Implementation] Perform input validation on user data.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow