AI Threat Alert

CVE-2022-36014: TensorFlow: null ptr dereference in MLIR causes remote DoS

HIGH
Published September 16, 2022
CISO Take

An unauthenticated remote attacker can crash TensorFlow serving instances by sending a GraphDef with null type list attributes, triggering a null pointer dereference in the MLIR TFG import layer. If your organization exposes TensorFlow inference endpoints — even internally — this is a trivially exploitable availability risk. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; no workaround exists.

What is the risk?

High availability risk for any org running TensorFlow inference services reachable over the network. CVSS 7.5 is accurate: zero prerequisites (no auth, no user interaction, low complexity) guarantee this is easy to weaponize. The blast radius is limited to availability — no data exfiltration or code execution — but a sustained DoS against ML inference infrastructure can halt AI-dependent business processes. The 2022 publish date means most patched environments are already protected; risk is concentrated in unmanaged or legacy TF deployments.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 41% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. PATCH

    Upgrade TensorFlow to 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Cherry-picks are available for the LTS-supported branches.

  2. NETWORK

    If patching is delayed, place a WAF or API gateway in front of TF Serving endpoints to block malformed protobuf inputs. Restrict inference endpoints to known internal callers.

  3. INPUT VALIDATION

    Validate GraphDef payloads before passing to TF runtime — reject requests with null or empty type list attributes at the API layer.

  4. DETECTION

    Alert on unexpected TF Serving process restarts or crash loops in container orchestration logs (OOMKilled substitute pattern). Monitor for repeated 500/503 errors on inference endpoints.

  5. INVENTORY

    Identify all TF versions in use via pip freeze audits or container image scanning; prioritize externally-exposed instances.

How is it classified?

DoS Framework Inference AML.T0029 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system availability and resilience
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain AI system reliability MEASURE-2.5 - AI system robustness testing

Frequently Asked Questions

What is CVE-2022-36014?

An unauthenticated remote attacker can crash TensorFlow serving instances by sending a GraphDef with null type list attributes, triggering a null pointer dereference in the MLIR TFG import layer. If your organization exposes TensorFlow inference endpoints — even internally — this is a trivially exploitable availability risk. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2; no workaround exists.

Is CVE-2022-36014 actively exploited?

No confirmed active exploitation of CVE-2022-36014 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36014?

1. PATCH: Upgrade TensorFlow to 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Cherry-picks are available for the LTS-supported branches. 2. NETWORK: If patching is delayed, place a WAF or API gateway in front of TF Serving endpoints to block malformed protobuf inputs. Restrict inference endpoints to known internal callers. 3. INPUT VALIDATION: Validate GraphDef payloads before passing to TF runtime — reject requests with null or empty type list attributes at the API layer. 4. DETECTION: Alert on unexpected TF Serving process restarts or crash loops in container orchestration logs (OOMKilled substitute pattern). Monitor for repeated 500/503 errors on inference endpoints. 5. INVENTORY: Identify all TF versions in use via `pip freeze` audits or container image scanning; prioritize externally-exposed instances.

What systems are affected by CVE-2022-36014?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML infrastructure, model conversion pipelines.

What is the CVSS score for CVE-2022-36014?

CVE-2022-36014 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.53%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesML infrastructuremodel conversion pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5
NIST AI RMF: MANAGE-2.2, MEASURE-2.5

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. When `mlir::tfg::TFOp::nameAttr` receives null type list attributes, it crashes. We have patched the issue in GitHub commits 3a754740d5414e362512ee981eefba41561a63a6 and a0f0b9a21c9270930457095092f558fbad4c03e5. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary targeting an organization's ML inference API (e.g., a TF Serving gRPC endpoint exposed internally or via API gateway) crafts a minimal TensorFlow GraphDef protobuf with intentionally null type list attributes in a node definition. They submit this payload to the `/v1/models/:model/versions/:version:predict` endpoint or equivalent gRPC call. The MLIR TFG import path processes the graph, hits the null dereference in `mlir::tfg::TFOp::nameAttr`, and crashes the serving process. In a Kubernetes environment, the pod restarts but the adversary automates the attack to maintain continuous DoS. For organizations where inference serves a revenue-generating product (real-time fraud detection, recommendation engines), this translates directly to service degradation and SLA breaches.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed