AI Threat Alert AI Threat Alert

CVE-2022-36015: TensorFlow: integer overflow in RangeSize causes DoS

HIGH
Published September 16, 2022
CISO Take

An unauthenticated remote attacker can crash any TensorFlow serving instance by sending a crafted RangeSize operation with out-of-bounds int64 values, causing a full availability outage. No privileges or user interaction required — any exposed TensorFlow inference endpoint is vulnerable. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2.

Risk Assessment

Risk is HIGH for organizations running TensorFlow model serving endpoints exposed to untrusted input (e.g., public inference APIs, multi-tenant ML platforms). CVSS AV:N/AC:L/PR:N/UI:N means exploitation is trivial and scriptable. No confidentiality or integrity impact, but full availability loss is significant for production AI systems. The integer overflow (CWE-190) in a core math op is easy to trigger reliably.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 41% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — no workaround exists per the advisory.

  2. Scope check: Audit all TensorFlow serving endpoints reachable from untrusted networks; prioritize patching those first.

  3. Input validation: Add upstream validation to reject tensor shape values exceeding int64 bounds before they reach TF ops (defense in depth).

  4. Detection: Monitor for process crashes or pod restarts in TF serving containers — repeated crashes may indicate active exploitation.

  5. Network controls: If patching is delayed, restrict access to TF inference endpoints to trusted clients only.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 / Annex I - Risk Management System — Robustness and Cybersecurity
ISO 42001
8.4 - AI System Robustness and Resilience
NIST AI RMF
RMF-RS-1.1 - Govern — Resilience and Reliability
OWASP LLM Top 10
LLM10 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-36015?

An unauthenticated remote attacker can crash any TensorFlow serving instance by sending a crafted RangeSize operation with out-of-bounds int64 values, causing a full availability outage. No privileges or user interaction required — any exposed TensorFlow inference endpoint is vulnerable. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2.

Is CVE-2022-36015 actively exploited?

No confirmed active exploitation of CVE-2022-36015 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36015?

1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — no workaround exists per the advisory. 2. Scope check: Audit all TensorFlow serving endpoints reachable from untrusted networks; prioritize patching those first. 3. Input validation: Add upstream validation to reject tensor shape values exceeding int64 bounds before they reach TF ops (defense in depth). 4. Detection: Monitor for process crashes or pod restarts in TF serving containers — repeated crashes may indicate active exploitation. 5. Network controls: If patching is delayed, restrict access to TF inference endpoints to trusted clients only.

What systems are affected by CVE-2022-36015?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, ML platform (multi-tenant).

What is the CVSS score for CVE-2022-36015?

CVE-2022-36015 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.19%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `RangeSize` receives values that do not fit into an `int64_t`, it crashes. We have patched the issue in GitHub commit 37e64539cd29fcfb814c4451152a60f5d107b0f0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary targeting a company's public AI inference API (e.g., a fraud-detection or NLP model served via TF Serving) crafts a prediction request with RangeSize arguments whose computed range exceeds int64 limits. The TensorFlow process crashes, taking the model endpoint offline. The attacker repeats this to maintain a sustained DoS against the ML pipeline — disrupting real-time fraud scoring, recommendation engines, or any latency-sensitive AI workload. No authentication, exploit code, or AI/ML expertise required.

Weaknesses (CWE)

CWE-190

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed