CVE-2022-36012: TensorFlow DoS — HIGH

CISO Take

A network-reachable crash in TensorFlow's MLIR graph compiler requires no authentication and no user interaction to trigger, making any exposed TF serving endpoint a trivial DoS target. Patch to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately — no workaround exists. Prioritize internet-facing inference services first.

What is the risk?

CVSS 7.5 is accurate for this DoS-only vulnerability. The attack profile (network, low complexity, no privileges, no interaction) makes it trivially exploitable by any attacker who can reach a TF endpoint. Impact is confined to availability — no code execution, no data exfiltration. Risk is highest for organizations running public-facing TensorFlow Serving deployments; internal-only inference pipelines have lower but non-zero exposure. Not in CISA KEV and no evidence of active exploitation, reducing urgency slightly.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 40% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately.
If patching is delayed: place TF serving endpoints behind an API gateway with strict input schema validation; reject malformed or empty function attribute payloads at the perimeter.
Harden: Restrict network access to TF serving ports to trusted clients only — no public exposure without auth proxy.
Monitor: Alert on TF process crashes or unexpected restarts as a detection signal.
Inventory: Audit all services running TF 2.7.x–2.9.x to confirm patch coverage.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

Clause 8.4 - AI system operation

NIST AI RMF

MANAGE 2.4 - Risk treatment, response, and recovery plans

Frequently Asked Questions

What is CVE-2022-36012?

A network-reachable crash in TensorFlow's MLIR graph compiler requires no authentication and no user interaction to trigger, making any exposed TF serving endpoint a trivial DoS target. Patch to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately — no workaround exists. Prioritize internet-facing inference services first.

Is CVE-2022-36012 actively exploited?

No confirmed active exploitation of CVE-2022-36012 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36012?

1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately. 2. If patching is delayed: place TF serving endpoints behind an API gateway with strict input schema validation; reject malformed or empty function attribute payloads at the perimeter. 3. Harden: Restrict network access to TF serving ports to trusted clients only — no public exposure without auth proxy. 4. Monitor: Alert on TF process crashes or unexpected restarts as a detection signal. 5. Inventory: Audit all services running TF 2.7.x–2.9.x to confirm patch coverage.

What systems are affected by CVE-2022-36012?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML inference endpoints.

What is the CVSS score for CVE-2022-36012?

CVE-2022-36012 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.52%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesML inference endpoints

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: Clause 8.4

NIST AI RMF: MANAGE 2.4

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it crashes. We have patched the issue in GitHub commit ad069af92392efee1418c48ff561fd3070a03d7b. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An attacker enumerates an organization's AI inference infrastructure — via Shodan, internal network scan, or API documentation leak — and identifies an exposed TensorFlow Serving endpoint. They craft a minimal TFG function definition with empty attributes and submit it to the model import API. The `ConvertGenericFunctionToFunctionDef` call triggers an assertion crash, taking down the TF serving process. Repeating submissions sustains the outage. The attack requires no ML knowledge, no credentials, and no prior access — a script-kiddie-level DoS against production AI inference.

Weaknesses (CWE)

CWE-617 Reachable Assertion Primary CWE-617 Reachable Assertion

CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

[Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
[Implementation] Perform input validation on user data.

Source: MITRE CWE corpus.