CVE-2022-41883: TensorFlow executor crash

CISO Take

Any service exposing TensorFlow inference or training endpoints—including TF Serving, custom REST wrappers, or notebook environments—can be crashed by sending ops with mismatched input counts, requiring zero authentication. Patch to TF 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately; if patching is not immediate, add input validation at the API boundary to reject malformed graph inputs before they reach the executor. No data exfiltration risk, but availability of production ML pipelines is directly at stake.

What is the risk?

High availability risk for organizations running TensorFlow in network-accessible contexts (TF Serving, Vertex AI custom containers, SageMaker BYO TF). CVSS 7.5 reflects the low attack complexity—no auth, no user interaction, trivially reproducible. The blast radius is limited to DoS; no code execution or data leakage. Elevated concern for real-time inference endpoints in production (fraud detection, content moderation, autonomous systems) where availability equals business continuity.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 27% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

6 steps

PATCH

Upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit f5381e0e).
BOUNDARY VALIDATION

Validate op input counts against declared signatures before graph execution; reject requests with mismatched arity at the API layer.
ISOLATION

Run TF Serving in isolated containers with auto-restart policies (k8s liveness probes) to minimize downtime window if exploited.
NETWORK SEGMENTATION

TF Serving inference endpoints should never be directly internet-facing without an authenticated API gateway in front.
DETECT

Log executor crash events (SIGABRT/unhandled exceptions from tf serving process); alert on sudden process restarts.
VERIFY

Confirm patched version with python -c 'import tensorflow as tf; print(tf.__version__)' post-deployment.

How is it classified?

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN-1.7 - Processes for AI risk management MANAGE-2.4 - Residual risks are managed

Frequently Asked Questions

What is CVE-2022-41883?

Any service exposing TensorFlow inference or training endpoints—including TF Serving, custom REST wrappers, or notebook environments—can be crashed by sending ops with mismatched input counts, requiring zero authentication. Patch to TF 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately; if patching is not immediate, add input validation at the API boundary to reject malformed graph inputs before they reach the executor. No data exfiltration risk, but availability of production ML pipelines is directly at stake.

Is CVE-2022-41883 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41883, increasing the risk of exploitation.

How to fix CVE-2022-41883?

1. PATCH: Upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit f5381e0e). 2. BOUNDARY VALIDATION: Validate op input counts against declared signatures before graph execution; reject requests with mismatched arity at the API layer. 3. ISOLATION: Run TF Serving in isolated containers with auto-restart policies (k8s liveness probes) to minimize downtime window if exploited. 4. NETWORK SEGMENTATION: TF Serving inference endpoints should never be directly internet-facing without an authenticated API gateway in front. 5. DETECT: Log executor crash events (SIGABRT/unhandled exceptions from tf serving process); alert on sudden process restarts. 6. VERIFY: Confirm patched version with `python -c 'import tensorflow as tf; print(tf.__version__)'` post-deployment.

What systems are affected by CVE-2022-41883?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, MLOps platforms.

What is the CVSS score for CVE-2022-41883?

CVE-2022-41883 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.35%.

What is the AI security impact?

Affected AI Architectures

model servinginference APIstraining pipelinesMLOps platforms

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 8.4

NIST AI RMF: GOVERN-1.7, MANAGE-2.4

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. When ops that have specified input sizes receive a differing number of inputs, the executor will crash. We have patched the issue in GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary identifies a target organization running TF Serving (default port 8501/8500) exposed via a cloud load balancer—discoverable via Shodan or cloud asset enumeration. They craft a TensorFlow SavedModel or a direct gRPC PredictRequest where a `DynamicStitch` op is called with a different number of inputs than its declared signature. Submitting this request causes the TF executor to crash, terminating the serving process. For continuous impact, the adversary scripts repeated requests at ~1 req/sec to prevent service recovery. In a fraud detection or real-time inference context, this creates a window of service unavailability that could be timed to coincide with fraudulent transactions the ML model would otherwise catch.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.