CVE-2022-41883 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any service exposing TensorFlow inference or training endpoints—including TF Serving, custom REST wrappers, or notebook environments—can be crashed by sending ops with mismatched input counts, requiring zero authentication. Patch to TF 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately; if patching is not immediate, add input validation at the API boundary to reject malformed graph inputs before they reach the executor. No data exfiltration risk, but availability of production ML pipelines is directly at stake.

Risk Assessment

High availability risk for organizations running TensorFlow in network-accessible contexts (TF Serving, Vertex AI custom containers, SageMaker BYO TF). CVSS 7.5 reflects the low attack complexity—no auth, no user interaction, trivially reproducible. The blast radius is limited to DoS; no code execution or data leakage. Elevated concern for real-time inference endpoints in production (fraud detection, content moderation, autonomous systems) where availability equals business continuity.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 38% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

PATCH

Upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit f5381e0e).
BOUNDARY VALIDATION

Validate op input counts against declared signatures before graph execution; reject requests with mismatched arity at the API layer.
ISOLATION

Run TF Serving in isolated containers with auto-restart policies (k8s liveness probes) to minimize downtime window if exploited.
NETWORK SEGMENTATION

TF Serving inference endpoints should never be directly internet-facing without an authenticated API gateway in front.
DETECT

Log executor crash events (SIGABRT/unhandled exceptions from tf serving process); alert on sudden process restarts.
VERIFY

Confirm patched version with python -c 'import tensorflow as tf; print(tf.__version__)' post-deployment.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN-1.7 - Processes for AI risk management MANAGE-2.4 - Residual risks are managed

Frequently Asked Questions

What is CVE-2022-41883?

Any service exposing TensorFlow inference or training endpoints—including TF Serving, custom REST wrappers, or notebook environments—can be crashed by sending ops with mismatched input counts, requiring zero authentication. Patch to TF 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately; if patching is not immediate, add input validation at the API boundary to reject malformed graph inputs before they reach the executor. No data exfiltration risk, but availability of production ML pipelines is directly at stake.

Is CVE-2022-41883 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41883, increasing the risk of exploitation.

How to fix CVE-2022-41883?

1. PATCH: Upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit f5381e0e). 2. BOUNDARY VALIDATION: Validate op input counts against declared signatures before graph execution; reject requests with mismatched arity at the API layer. 3. ISOLATION: Run TF Serving in isolated containers with auto-restart policies (k8s liveness probes) to minimize downtime window if exploited. 4. NETWORK SEGMENTATION: TF Serving inference endpoints should never be directly internet-facing without an authenticated API gateway in front. 5. DETECT: Log executor crash events (SIGABRT/unhandled exceptions from tf serving process); alert on sudden process restarts. 6. VERIFY: Confirm patched version with `python -c 'import tensorflow as tf; print(tf.__version__)'` post-deployment.

What systems are affected by CVE-2022-41883?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, MLOps platforms.

What is the CVSS score for CVE-2022-41883?

CVE-2022-41883 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.17%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When ops that have specified input sizes receive a differing number of inputs, the executor will crash. We have patched the issue in GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary identifies a target organization running TF Serving (default port 8501/8500) exposed via a cloud load balancer—discoverable via Shodan or cloud asset enumeration. They craft a TensorFlow SavedModel or a direct gRPC PredictRequest where a `DynamicStitch` op is called with a different number of inputs than its declared signature. Submitting this request causes the TF executor to crash, terminating the serving process. For continuous impact, the adversary scripts repeated requests at ~1 req/sec to prevent service recovery. In a fraud detection or real-time inference context, this creates a window of service unavailability that could be timed to coincide with fraudulent transactions the ML model would otherwise catch.