CVE-2022-36005 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

A remotely exploitable denial-of-service in TensorFlow's quantization gradient API allows any unauthenticated attacker to crash inference or training services by sending nonscalar min/max inputs. Patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately; there are no workarounds. If your ML serving infrastructure is internet-facing and uses quantization operations, treat this as urgent.

Risk Assessment

High exploitability: CVSS 7.5, network-accessible, zero authentication, low complexity. The CHECK assertion failure terminates the TensorFlow process, making this a reliable crash trigger. No code execution or data leakage, but availability impact on inference or training pipelines is severe. Quantization is a standard step in edge-deployment workflows, widening the exposed surface.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 21% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade to TensorFlow 2.10.0, or cherrypick commit f3cf67ac5705f4f04721d15e485e192bb319feed on 2.9.x, 2.8.x, 2.7.x.
No official workaround exists per the advisory.
Interim defense: add input validation layer upstream to enforce scalar shape on min/max parameters before reaching fake_quant_with_min_max_vars_gradient.
Deploy rate-limiting and anomaly detection on inference API endpoints to detect repeated crash-restart cycles.
Run TF Serving in containerized environments with auto-restart policies to minimize downtime if exploited before patching.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Availability of AI systems

NIST AI RMF

MANAGE 2.4 - Residual risks and errors are monitored and documented MEASURE 2.5 - Robustness of AI system is evaluated

Frequently Asked Questions

What is CVE-2022-36005?

A remotely exploitable denial-of-service in TensorFlow's quantization gradient API allows any unauthenticated attacker to crash inference or training services by sending nonscalar min/max inputs. Patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately; there are no workarounds. If your ML serving infrastructure is internet-facing and uses quantization operations, treat this as urgent.

Is CVE-2022-36005 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-36005, increasing the risk of exploitation.

How to fix CVE-2022-36005?

1. Patch: upgrade to TensorFlow 2.10.0, or cherrypick commit f3cf67ac5705f4f04721d15e485e192bb319feed on 2.9.x, 2.8.x, 2.7.x. 2. No official workaround exists per the advisory. 3. Interim defense: add input validation layer upstream to enforce scalar shape on min/max parameters before reaching fake_quant_with_min_max_vars_gradient. 4. Deploy rate-limiting and anomaly detection on inference API endpoints to detect repeated crash-restart cycles. 5. Run TF Serving in containerized environments with auto-restart policies to minimize downtime if exploited before patching.

What systems are affected by CVE-2022-36005?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference.

What is the CVSS score for CVE-2022-36005?

CVE-2022-36005 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `tf.quantization.fake_quant_with_min_max_vars_gradient` receives input `min` or `max` that is nonscalar, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit f3cf67ac5705f4f04721d15e485e192bb319feed. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies a public-facing TensorFlow Serving endpoint that accepts model inputs processed through quantization operations. They craft a request containing a nonscalar tensor (e.g., a 1D array instead of a scalar) for the min or max parameter of the quantization gradient operation. Upon receiving the malformed input, TensorFlow triggers a CHECK assertion failure and the serving process crashes. By automating repeated requests, the adversary maintains continuous DoS, preventing legitimate model inference. This requires no ML expertise—only knowledge of the TF API signature and a basic HTTP client.