CVE-2022-36011 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

This is a remotely-triggerable denial-of-service in TensorFlow's MLIR compiler layer — no authentication required, no user interaction needed. Any TensorFlow Serving endpoint or pipeline that processes externally-supplied model files is at risk of being crashed via a crafted model with empty function attributes. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2, and restrict model ingestion to trusted, validated sources.

Risk Assessment

CVSS 7.5 High with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable by any network-accessible attacker. Impact is limited to availability (no confidentiality or integrity loss), which reduces overall severity for most deployments. Not in CISA KEV and no evidence of active exploitation, but the low attack complexity and zero-authentication requirement elevate practical risk for teams running exposed TF Serving or model-loading pipelines. Organizations accepting model files from untrusted sources (open model registries, user uploads) face the highest exposure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 22% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 (commit 1cf45b8).
Network hardening: TF Serving endpoints should not be directly internet-accessible; place behind API gateway with authentication.
Model validation: Implement pre-load model validation/scanning before passing model files to TF runtime — reject models with empty or malformed function attributes.
Process isolation: Run TF Serving workers in isolated containers so a crash does not affect other services.
Detection: Monitor for repeated process crashes or OOM/SIGSEGV signals in TF Serving logs, which may indicate exploitation attempts. No known workarounds beyond patching.

Classification

DoS Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system for high-risk AI

ISO 42001

8.4 - AI system risk management

NIST AI RMF

GOVERN-1.7 - Organizational practices for AI risk MANAGE-2.2 - Risk response for AI system risks

Frequently Asked Questions

What is CVE-2022-36011?

This is a remotely-triggerable denial-of-service in TensorFlow's MLIR compiler layer — no authentication required, no user interaction needed. Any TensorFlow Serving endpoint or pipeline that processes externally-supplied model files is at risk of being crashed via a crafted model with empty function attributes. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2, and restrict model ingestion to trusted, validated sources.

Is CVE-2022-36011 actively exploited?

No confirmed active exploitation of CVE-2022-36011 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36011?

1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 (commit 1cf45b8). 2. Network hardening: TF Serving endpoints should not be directly internet-accessible; place behind API gateway with authentication. 3. Model validation: Implement pre-load model validation/scanning before passing model files to TF runtime — reject models with empty or malformed function attributes. 4. Process isolation: Run TF Serving workers in isolated containers so a crash does not affect other services. 5. Detection: Monitor for repeated process crashes or OOM/SIGSEGV signals in TF Serving logs, which may indicate exploitation attempts. No known workarounds beyond patching.

What systems are affected by CVE-2022-36011?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML inference endpoints, MLOps/CI-CD pipelines, multi-tenant model platforms.

What is the CVSS score for CVE-2022-36011?

CVE-2022-36011 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it gives a null dereference. We have patched the issue in GitHub commit 1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary targeting an organization's MLOps pipeline identifies a TF Serving endpoint that accepts model uploads (e.g., a model registry or A/B testing platform). They craft a TensorFlow SavedModel containing a function definition with deliberately empty attributes in the MLIR TFG representation. When the victim's TF Serving instance loads this model for inference, `ConvertGenericFunctionToFunctionDef` dereferences a null pointer and crashes the worker process. The attacker repeats this in a loop, keeping the inference service unavailable and disrupting production AI-powered features. In a CI/CD context, the same model submitted to a training pipeline would crash the training job, delaying model updates.