AI Threat Alert AI Threat Alert

CVE-2022-36012: TensorFlow: DoS via empty MLIR function attributes

HIGH
Published September 16, 2022
CISO Take

A network-reachable crash in TensorFlow's MLIR graph compiler requires no authentication and no user interaction to trigger, making any exposed TF serving endpoint a trivial DoS target. Patch to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately — no workaround exists. Prioritize internet-facing inference services first.

Risk Assessment

CVSS 7.5 is accurate for this DoS-only vulnerability. The attack profile (network, low complexity, no privileges, no interaction) makes it trivially exploitable by any attacker who can reach a TF endpoint. Impact is confined to availability — no code execution, no data exfiltration. Risk is highest for organizations running public-facing TensorFlow Serving deployments; internal-only inference pipelines have lower but non-zero exposure. Not in CISA KEV and no evidence of active exploitation, reducing urgency slightly.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 41% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately.

  2. If patching is delayed: place TF serving endpoints behind an API gateway with strict input schema validation; reject malformed or empty function attribute payloads at the perimeter.

  3. Harden: Restrict network access to TF serving ports to trusted clients only — no public exposure without auth proxy.

  4. Monitor: Alert on TF process crashes or unexpected restarts as a detection signal.

  5. Inventory: Audit all services running TF 2.7.x–2.9.x to confirm patch coverage.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
Clause 8.4 - AI system operation
NIST AI RMF
MANAGE 2.4 - Risk treatment, response, and recovery plans

Frequently Asked Questions

What is CVE-2022-36012?

A network-reachable crash in TensorFlow's MLIR graph compiler requires no authentication and no user interaction to trigger, making any exposed TF serving endpoint a trivial DoS target. Patch to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately — no workaround exists. Prioritize internet-facing inference services first.

Is CVE-2022-36012 actively exploited?

No confirmed active exploitation of CVE-2022-36012 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36012?

1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. 2. If patching is delayed: place TF serving endpoints behind an API gateway with strict input schema validation; reject malformed or empty function attribute payloads at the perimeter. 3. Harden: Restrict network access to TF serving ports to trusted clients only — no public exposure without auth proxy. 4. Monitor: Alert on TF process crashes or unexpected restarts as a detection signal. 5. Inventory: Audit all services running TF 2.7.x–2.9.x to confirm patch coverage.

What systems are affected by CVE-2022-36012?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML inference endpoints.

What is the CVSS score for CVE-2022-36012?

CVE-2022-36012 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.19%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it crashes. We have patched the issue in GitHub commit ad069af92392efee1418c48ff561fd3070a03d7b. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An attacker enumerates an organization's AI inference infrastructure — via Shodan, internal network scan, or API documentation leak — and identifies an exposed TensorFlow Serving endpoint. They craft a minimal TFG function definition with empty attributes and submit it to the model import API. The `ConvertGenericFunctionToFunctionDef` call triggers an assertion crash, taking down the TF serving process. Repeating submissions sustains the outage. The attack requires no ML knowledge, no credentials, and no prior access — a script-kiddie-level DoS against production AI inference.

Weaknesses (CWE)

CWE-617 Primary CWE-617

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed