AI Threat Alert

CVE-2022-36011: TensorFlow: null deref DoS in MLIR function conversion

HIGH
Published September 16, 2022
CISO Take

This is a remotely-triggerable denial-of-service in TensorFlow's MLIR compiler layer — no authentication required, no user interaction needed. Any TensorFlow Serving endpoint or pipeline that processes externally-supplied model files is at risk of being crashed via a crafted model with empty function attributes. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2, and restrict model ingestion to trusted, validated sources.

What is the risk?

CVSS 7.5 High with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable by any network-accessible attacker. Impact is limited to availability (no confidentiality or integrity loss), which reduces overall severity for most deployments. Not in CISA KEV and no evidence of active exploitation, but the low attack complexity and zero-authentication requirement elevate practical risk for teams running exposed TF Serving or model-loading pipelines. Organizations accepting model files from untrusted sources (open model registries, user uploads) face the highest exposure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 30% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 (commit 1cf45b8).

  2. Network hardening: TF Serving endpoints should not be directly internet-accessible; place behind API gateway with authentication.

  3. Model validation: Implement pre-load model validation/scanning before passing model files to TF runtime — reject models with empty or malformed function attributes.

  4. Process isolation: Run TF Serving workers in isolated containers so a crash does not affect other services.

  5. Detection: Monitor for repeated process crashes or OOM/SIGSEGV signals in TF Serving logs, which may indicate exploitation attempts. No known workarounds beyond patching.

How is it classified?

DoS Supply Chain Framework Inference AML.T0010.001 AML.T0011.000 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system for high-risk AI
ISO 42001
8.4 - AI system risk management
NIST AI RMF
GOVERN-1.7 - Organizational practices for AI risk MANAGE-2.2 - Risk response for AI system risks

Frequently Asked Questions

What is CVE-2022-36011?

This is a remotely-triggerable denial-of-service in TensorFlow's MLIR compiler layer — no authentication required, no user interaction needed. Any TensorFlow Serving endpoint or pipeline that processes externally-supplied model files is at risk of being crashed via a crafted model with empty function attributes. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2, and restrict model ingestion to trusted, validated sources.

Is CVE-2022-36011 actively exploited?

No confirmed active exploitation of CVE-2022-36011 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36011?

1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 (commit 1cf45b8). 2. Network hardening: TF Serving endpoints should not be directly internet-accessible; place behind API gateway with authentication. 3. Model validation: Implement pre-load model validation/scanning before passing model files to TF runtime — reject models with empty or malformed function attributes. 4. Process isolation: Run TF Serving workers in isolated containers so a crash does not affect other services. 5. Detection: Monitor for repeated process crashes or OOM/SIGSEGV signals in TF Serving logs, which may indicate exploitation attempts. No known workarounds beyond patching.

What systems are affected by CVE-2022-36011?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML inference endpoints, MLOps/CI-CD pipelines, multi-tenant model platforms.

What is the CVSS score for CVE-2022-36011?

CVE-2022-36011 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesML inference endpointsMLOps/CI-CD pipelinesmulti-tenant model platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 8.4
NIST AI RMF: GOVERN-1.7, MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it gives a null dereference. We have patched the issue in GitHub commit 1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary targeting an organization's MLOps pipeline identifies a TF Serving endpoint that accepts model uploads (e.g., a model registry or A/B testing platform). They craft a TensorFlow SavedModel containing a function definition with deliberately empty attributes in the MLIR TFG representation. When the victim's TF Serving instance loads this model for inference, `ConvertGenericFunctionToFunctionDef` dereferences a null pointer and crashes the worker process. The attacker repeats this in a loop, keeping the inference service unavailable and disrupting production AI-powered features. In a CI/CD context, the same model submitted to a training pipeline would crash the training job, delaying model updates.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed