CVE-2022-36018 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment accepting untrusted RaggedTensor inputs over the network is vulnerable to process crash with zero authentication required. This is a straightforward availability risk for ML inference APIs and serving infrastructure. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — no workaround exists.

Risk Assessment

High severity (CVSS 7.5) with worst-case exploitability characteristics: network-accessible, no privileges, no user interaction, low complexity. The CHECK fail causes immediate process termination, making it a reliable DoS primitive. Risk is highest for ML inference services and model-serving APIs that accept user-controlled tensor data. Reduced risk in air-gapped training environments where inputs are fully controlled. Not in CISA KEV and no evidence of active exploitation, but the trivial exploit path warrants prompt patching.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.10.0, or cherry-pick backports: 2.9.1, 2.8.1, 2.7.2 (commit 88f93dfe).
VALIDATE INPUTS

At inference endpoints, validate tensor ranks before processing — reject rt_nested_splits inputs with rank != 1.
ISOLATE

Run TF Serving in isolated containers/VMs; a crash should not cascade to other services.
MONITOR

Alert on abnormal TF Serving process restarts or crash loops — these may indicate active exploitation attempts.
AUDIT

Identify all internal and external-facing TensorFlow endpoints accepting RaggedTensor inputs.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system operational monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied

Frequently Asked Questions

What is CVE-2022-36018?

Any TensorFlow deployment accepting untrusted RaggedTensor inputs over the network is vulnerable to process crash with zero authentication required. This is a straightforward availability risk for ML inference APIs and serving infrastructure. Patch immediately to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 — no workaround exists.

Is CVE-2022-36018 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-36018, increasing the risk of exploitation.

How to fix CVE-2022-36018?

1. PATCH: Upgrade to TensorFlow 2.10.0, or cherry-pick backports: 2.9.1, 2.8.1, 2.7.2 (commit 88f93dfe). 2. VALIDATE INPUTS: At inference endpoints, validate tensor ranks before processing — reject rt_nested_splits inputs with rank != 1. 3. ISOLATE: Run TF Serving in isolated containers/VMs; a crash should not cascade to other services. 4. MONITOR: Alert on abnormal TF Serving process restarts or crash loops — these may indicate active exploitation attempts. 5. AUDIT: Identify all internal and external-facing TensorFlow endpoints accepting RaggedTensor inputs.

What systems are affected by CVE-2022-36018?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, NLP processing pipelines.

What is the CVSS score for CVE-2022-36018?

CVE-2022-36018 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. If `RaggedTensorToVariant` is given a `rt_nested_splits` list that contains tensors of ranks other than one, it results in a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 88f93dfe691563baa4ae1e80ccde2d5c7a143821. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An adversary targeting an NLP inference API (e.g., a text classification or sequence labeling service built on TF Serving) sends a crafted gRPC request with a RaggedTensor payload where rt_nested_splits contains a 2D tensor instead of the expected 1D tensor. TensorFlow's RaggedTensorToVariant hits the CHECK assertion, immediately killing the serving process. On most deployment configurations this restarts the container, but repeated requests at low volume can maintain a persistent availability outage with minimal infrastructure cost to the attacker. No ML expertise required — only knowledge of the TF Serving gRPC API schema.