CVE-2022-36014 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

An unauthenticated remote attacker can crash TensorFlow serving instances by sending a GraphDef with null type list attributes, triggering a null pointer dereference in the MLIR TFG import layer. If your organization exposes TensorFlow inference endpoints — even internally — this is a trivially exploitable availability risk. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; no workaround exists.

Risk Assessment

High availability risk for any org running TensorFlow inference services reachable over the network. CVSS 7.5 is accurate: zero prerequisites (no auth, no user interaction, low complexity) guarantee this is easy to weaponize. The blast radius is limited to availability — no data exfiltration or code execution — but a sustained DoS against ML inference infrastructure can halt AI-dependent business processes. The 2022 publish date means most patched environments are already protected; risk is concentrated in unmanaged or legacy TF deployments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 56% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Cherry-picks are available for the LTS-supported branches.
NETWORK

If patching is delayed, place a WAF or API gateway in front of TF Serving endpoints to block malformed protobuf inputs. Restrict inference endpoints to known internal callers.
INPUT VALIDATION

Validate GraphDef payloads before passing to TF runtime — reject requests with null or empty type list attributes at the API layer.
DETECTION

Alert on unexpected TF Serving process restarts or crash loops in container orchestration logs (OOMKilled substitute pattern). Monitor for repeated 500/503 errors on inference endpoints.
INVENTORY

Identify all TF versions in use via pip freeze audits or container image scanning; prioritize externally-exposed instances.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system availability and resilience

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain AI system reliability MEASURE-2.5 - AI system robustness testing

Frequently Asked Questions

What is CVE-2022-36014?

An unauthenticated remote attacker can crash TensorFlow serving instances by sending a GraphDef with null type list attributes, triggering a null pointer dereference in the MLIR TFG import layer. If your organization exposes TensorFlow inference endpoints — even internally — this is a trivially exploitable availability risk. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; no workaround exists.

Is CVE-2022-36014 actively exploited?

No confirmed active exploitation of CVE-2022-36014 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36014?

1. PATCH: Upgrade TensorFlow to 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Cherry-picks are available for the LTS-supported branches. 2. NETWORK: If patching is delayed, place a WAF or API gateway in front of TF Serving endpoints to block malformed protobuf inputs. Restrict inference endpoints to known internal callers. 3. INPUT VALIDATION: Validate GraphDef payloads before passing to TF runtime — reject requests with null or empty type list attributes at the API layer. 4. DETECTION: Alert on unexpected TF Serving process restarts or crash loops in container orchestration logs (OOMKilled substitute pattern). Monitor for repeated 500/503 errors on inference endpoints. 5. INVENTORY: Identify all TF versions in use via `pip freeze` audits or container image scanning; prioritize externally-exposed instances.

What systems are affected by CVE-2022-36014?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML infrastructure, model conversion pipelines.

What is the CVSS score for CVE-2022-36014?

CVE-2022-36014 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.33%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `mlir::tfg::TFOp::nameAttr` receives null type list attributes, it crashes. We have patched the issue in GitHub commits 3a754740d5414e362512ee981eefba41561a63a6 and a0f0b9a21c9270930457095092f558fbad4c03e5. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary targeting an organization's ML inference API (e.g., a TF Serving gRPC endpoint exposed internally or via API gateway) crafts a minimal TensorFlow GraphDef protobuf with intentionally null type list attributes in a node definition. They submit this payload to the `/v1/models/:model/versions/:version:predict` endpoint or equivalent gRPC call. The MLIR TFG import path processes the graph, hits the null dereference in `mlir::tfg::TFOp::nameAttr`, and crashes the serving process. In a Kubernetes environment, the pod restarts but the adversary automates the attack to maintain continuous DoS. For organizations where inference serves a revenue-generating product (real-time fraud detection, recommendation engines), this translates directly to service degradation and SLA breaches.