AI Threat Alert

CVE-2022-41884: TensorFlow: DoS via malformed numpy array shape

HIGH PoC AVAILABLE
Published November 18, 2022
CISO Take

TensorFlow inference services exposed over the network can be crashed by sending a specially crafted numpy array shape — no authentication or user interaction required. Patch to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately, prioritizing externally-facing inference APIs and model serving endpoints. No data exfiltration risk, but sustained exploitation can take down AI/ML production workloads entirely.

What is the risk?

High severity (CVSS 7.5) with a trivial exploitation profile: network-accessible, no privileges, no user interaction. Impact is limited to availability — no confidentiality or integrity exposure — but in production ML environments, inference service downtime translates directly to business disruption and SLA violations. The zero-auth, low-complexity vector makes this an attractive target for opportunistic attackers scanning for exposed TF Serving endpoints. Priority: high for organizations running public-facing TensorFlow inference APIs.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 25% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.11, or apply cherrypick commits to 2.10.1, 2.9.3, or 2.8.4.

  2. Workaround: Implement input validation at the API gateway layer to reject arrays with any zero-valued dimension before reaching TensorFlow.

  3. Network controls: Place inference APIs behind an authenticated API gateway; never expose TF Serving ports directly to the internet.

  4. Detection: Alert on elevated error rates or process crashes in TF Serving logs; a spike in shape-related errors is a strong indicator.

  5. Inventory: Audit all deployed TF versions with pip show tensorflow across model serving infrastructure.

How is it classified?

DoS Framework Inference AML.T0029 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms to respond to and recover from AI risks MAP 5.1 - Likelihood and impact of AI risks are mapped

Frequently Asked Questions

What is CVE-2022-41884?

TensorFlow inference services exposed over the network can be crashed by sending a specially crafted numpy array shape — no authentication or user interaction required. Patch to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately, prioritizing externally-facing inference APIs and model serving endpoints. No data exfiltration risk, but sustained exploitation can take down AI/ML production workloads entirely.

Is CVE-2022-41884 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41884, increasing the risk of exploitation.

How to fix CVE-2022-41884?

1. Patch: Upgrade to TensorFlow 2.11, or apply cherrypick commits to 2.10.1, 2.9.3, or 2.8.4. 2. Workaround: Implement input validation at the API gateway layer to reject arrays with any zero-valued dimension before reaching TensorFlow. 3. Network controls: Place inference APIs behind an authenticated API gateway; never expose TF Serving ports directly to the internet. 4. Detection: Alert on elevated error rates or process crashes in TF Serving logs; a spike in shape-related errors is a strong indicator. 5. Inventory: Audit all deployed TF versions with `pip show tensorflow` across model serving infrastructure.

What systems are affected by CVE-2022-41884?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, ML notebooks.

What is the CVSS score for CVE-2022-41884?

CVE-2022-41884 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.33%.

What is the AI security impact?

Affected AI Architectures

model servinginference APIstraining pipelinesML notebooks

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2, MAP 5.1

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an organization's AI-powered API (image classification, NLP, fraud detection) sends a crafted inference request containing a numpy array with shape [0, 2147483647] — one zero dimension with remaining dimensions summing to a very large number. TensorFlow raises an unhandled error, crashing the inference worker or returning repeated 500 errors. By automating this at low request volume, the adversary sustains a zero-cost, zero-auth DoS that takes the AI feature offline. No ML knowledge required — the payload is a single malformed tensor.

Weaknesses (CWE)

CWE-670 Always-Incorrect Control Flow Implementation

CWE-670 — Always-Incorrect Control Flow Implementation: The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
November 18, 2022
Last Modified
November 21, 2024
First Seen
November 18, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed