AI Threat Alert

CVE-2022-36015: TensorFlow: integer overflow in RangeSize causes DoS

HIGH
Published September 16, 2022
CISO Take

An unauthenticated remote attacker can crash any TensorFlow serving instance by sending a crafted RangeSize operation with out-of-bounds int64 values, causing a full availability outage. No privileges or user interaction required — any exposed TensorFlow inference endpoint is vulnerable. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2.

What is the risk?

Risk is HIGH for organizations running TensorFlow model serving endpoints exposed to untrusted input (e.g., public inference APIs, multi-tenant ML platforms). CVSS AV:N/AC:L/PR:N/UI:N means exploitation is trivial and scriptable. No confidentiality or integrity impact, but full availability loss is significant for production AI systems. The integer overflow (CWE-190) in a core math op is easy to trigger reliably.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 40% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — no workaround exists per the advisory.

  2. Scope check: Audit all TensorFlow serving endpoints reachable from untrusted networks; prioritize patching those first.

  3. Input validation: Add upstream validation to reject tensor shape values exceeding int64 bounds before they reach TF ops (defense in depth).

  4. Detection: Monitor for process crashes or pod restarts in TF serving containers — repeated crashes may indicate active exploitation.

  5. Network controls: If patching is delayed, restrict access to TF inference endpoints to trusted clients only.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 / Annex I - Risk Management System — Robustness and Cybersecurity
ISO 42001
8.4 - AI System Robustness and Resilience
NIST AI RMF
RMF-RS-1.1 - Govern — Resilience and Reliability
OWASP LLM Top 10
LLM10 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-36015?

An unauthenticated remote attacker can crash any TensorFlow serving instance by sending a crafted RangeSize operation with out-of-bounds int64 values, causing a full availability outage. No privileges or user interaction required — any exposed TensorFlow inference endpoint is vulnerable. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2.

Is CVE-2022-36015 actively exploited?

No confirmed active exploitation of CVE-2022-36015 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-36015?

1. Patch: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — no workaround exists per the advisory. 2. Scope check: Audit all TensorFlow serving endpoints reachable from untrusted networks; prioritize patching those first. 3. Input validation: Add upstream validation to reject tensor shape values exceeding int64 bounds before they reach TF ops (defense in depth). 4. Detection: Monitor for process crashes or pod restarts in TF serving containers — repeated crashes may indicate active exploitation. 5. Network controls: If patching is delayed, restrict access to TF inference endpoints to trusted clients only.

What systems are affected by CVE-2022-36015?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, ML platform (multi-tenant).

What is the CVSS score for CVE-2022-36015?

CVE-2022-36015 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.52%.

What is the AI security impact?

Affected AI Architectures

model servinginference APIstraining pipelinesML platform (multi-tenant)

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9 / Annex I
ISO 42001: 8.4
NIST AI RMF: RMF-RS-1.1
OWASP LLM Top 10: LLM10

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. When `RangeSize` receives values that do not fit into an `int64_t`, it crashes. We have patched the issue in GitHub commit 37e64539cd29fcfb814c4451152a60f5d107b0f0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary targeting a company's public AI inference API (e.g., a fraud-detection or NLP model served via TF Serving) crafts a prediction request with RangeSize arguments whose computed range exceeds int64 limits. The TensorFlow process crashes, taking the model endpoint offline. The attacker repeats this to maintain a sustained DoS against the ML pipeline — disrupting real-time fraud scoring, recommendation engines, or any latency-sensitive AI workload. No authentication, exploit code, or AI/ML expertise required.

Weaknesses (CWE)

CWE-190 Integer Overflow or Wraparound

CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

  • [Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 16, 2022
Last Modified
November 21, 2024
First Seen
September 16, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed