CVE-2022-41884 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

TensorFlow inference services exposed over the network can be crashed by sending a specially crafted numpy array shape — no authentication or user interaction required. Patch to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately, prioritizing externally-facing inference APIs and model serving endpoints. No data exfiltration risk, but sustained exploitation can take down AI/ML production workloads entirely.

Risk Assessment

High severity (CVSS 7.5) with a trivial exploitation profile: network-accessible, no privileges, no user interaction. Impact is limited to availability — no confidentiality or integrity exposure — but in production ML environments, inference service downtime translates directly to business disruption and SLA violations. The zero-auth, low-complexity vector makes this an attractive target for opportunistic attackers scanning for exposed TF Serving endpoints. Priority: high for organizations running public-facing TensorFlow inference APIs.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 31% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.11, or apply cherrypick commits to 2.10.1, 2.9.3, or 2.8.4.
Workaround: Implement input validation at the API gateway layer to reject arrays with any zero-valued dimension before reaching TensorFlow.
Network controls: Place inference APIs behind an authenticated API gateway; never expose TF Serving ports directly to the internet.
Detection: Alert on elevated error rates or process crashes in TF Serving logs; a spike in shape-related errors is a strong indicator.
Inventory: Audit all deployed TF versions with pip show tensorflow across model serving infrastructure.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to and recover from AI risks MAP 5.1 - Likelihood and impact of AI risks are mapped

Frequently Asked Questions

What is CVE-2022-41884?

TensorFlow inference services exposed over the network can be crashed by sending a specially crafted numpy array shape — no authentication or user interaction required. Patch to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately, prioritizing externally-facing inference APIs and model serving endpoints. No data exfiltration risk, but sustained exploitation can take down AI/ML production workloads entirely.

Is CVE-2022-41884 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41884, increasing the risk of exploitation.

How to fix CVE-2022-41884?

1. Patch: Upgrade to TensorFlow 2.11, or apply cherrypick commits to 2.10.1, 2.9.3, or 2.8.4. 2. Workaround: Implement input validation at the API gateway layer to reject arrays with any zero-valued dimension before reaching TensorFlow. 3. Network controls: Place inference APIs behind an authenticated API gateway; never expose TF Serving ports directly to the internet. 4. Detection: Alert on elevated error rates or process crashes in TF Serving logs; a spike in shape-related errors is a strong indicator. 5. Inventory: Audit all deployed TF versions with `pip show tensorflow` across model serving infrastructure.

What systems are affected by CVE-2022-41884?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, ML notebooks.

What is the CVSS score for CVE-2022-41884?

CVE-2022-41884 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.13%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an organization's AI-powered API (image classification, NLP, fraud detection) sends a crafted inference request containing a numpy array with shape [0, 2147483647] — one zero dimension with remaining dimensions summing to a very large number. TensorFlow raises an unhandled error, crashing the inference worker or returning repeated 500 errors. By automating this at low request volume, the adversary sustains a zero-cost, zero-auth DoS that takes the AI feature offline. No ML knowledge required — the payload is a single malformed tensor.