CVE-2022-36026 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow model serving endpoint that processes quantization ops is crashable by an unauthenticated remote attacker with a single malformed request. Patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately — no workaround exists. If patching is delayed, isolate inference endpoints behind authenticated proxies to reduce exposure.

Risk Assessment

High availability risk for exposed TF serving infrastructure. CVSS 7.5 reflects unauthenticated network exploitability with zero interaction required — exploitation is trivial and scriptable. Real-world risk is moderated by the fact that most production deployments don't directly expose raw TF ops to untrusted callers, but MLOps pipelines and internal research infrastructure often lack this boundary. Not actively exploited (not in KEV), but the low barrier to exploitation means any unpatched internet-facing TF endpoint is a credible DoS target.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch immediately

Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Commit f3f9cb38ecfe5a8a703f2c4a8fead434ef291713 contains the fix.
Input validation

Add shape checks for num_bits tensors before passing to quantization ops — assert scalar shape.
Network isolation

Place TF Serving endpoints behind authenticated API gateways; never expose raw gRPC/REST TF endpoints directly to the internet.
Detection

Monitor for abnormal TF process crashes or pod restart loops in serving infrastructure — correlate with incoming request logs to identify exploitation attempts.
Inventory

Identify which models in production use QuantizeAndDequantizeV3 via saved_model_cli show to prioritize patching.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system availability and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms to achieve treatment of identified AI risks MAP 5.2 - Practices and personnel for AI risk are in place

Frequently Asked Questions

What is CVE-2022-36026?

Any TensorFlow model serving endpoint that processes quantization ops is crashable by an unauthenticated remote attacker with a single malformed request. Patch to TF 2.10.0, 2.9.1, 2.8.1, or 2.7.2 immediately — no workaround exists. If patching is delayed, isolate inference endpoints behind authenticated proxies to reduce exposure.

Is CVE-2022-36026 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-36026, increasing the risk of exploitation.

How to fix CVE-2022-36026?

1. **Patch immediately**: Upgrade to TensorFlow 2.10.0, 2.9.1, 2.8.1, or 2.7.2. Commit f3f9cb38ecfe5a8a703f2c4a8fead434ef291713 contains the fix. 2. **Input validation**: Add shape checks for `num_bits` tensors before passing to quantization ops — assert scalar shape. 3. **Network isolation**: Place TF Serving endpoints behind authenticated API gateways; never expose raw gRPC/REST TF endpoints directly to the internet. 4. **Detection**: Monitor for abnormal TF process crashes or pod restart loops in serving infrastructure — correlate with incoming request logs to identify exploitation attempts. 5. **Inventory**: Identify which models in production use QuantizeAndDequantizeV3 via `saved_model_cli show` to prioritize patching.

What systems are affected by CVE-2022-36026?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines, edge/mobile model optimization.

What is the CVSS score for CVE-2022-36026?

CVE-2022-36026 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. If `QuantizeAndDequantizeV3` is given a nonscalar `num_bits` input tensor, it results in a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit f3f9cb38ecfe5a8a703f2c4a8fead434ef291713. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Exploitation Scenario

An attacker identifies a TensorFlow Serving endpoint (e.g., via Shodan scanning port 8501/8500) or gains access to an internal MLOps API. They craft a gRPC or REST inference request that passes a rank-1 or rank-2 tensor as the `num_bits` argument to a model that internally calls QuantizeAndDequantizeV3. The CHECK assertion fires, the TF serving process crashes instantly. In a Kubernetes deployment, the pod restarts within seconds, but the attacker can loop requests to maintain continuous unavailability with minimal bandwidth. No authentication, no ML expertise, no special tooling required — a basic HTTP client suffices.