CVE-2022-41885 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

An unauthenticated remote attacker can crash any TensorFlow inference service by sending a request with an oversized tensor shape to FusedResizeAndPadConv2D, causing an integer overflow and service termination. Any internet-exposed TF Serving endpoint running image-based models is affected. Patch immediately to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 and enforce tensor shape limits at your API gateway.

Risk Assessment

Effective risk is HIGH for organizations running public-facing TensorFlow Serving endpoints. CVSS 7.5 reflects network-reachable, zero-auth, low-complexity exploitation with full availability impact. The attack requires no ML knowledge—just a crafted HTTP request with large tensor dimensions. Mitigating factors: no code execution or data exfiltration possible; impact is limited to availability. Not in CISA KEV and no public exploit observed as of disclosure, but PoC is implicit in the advisory.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 36% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.11.0, or cherry-pick to 2.10.1 / 2.9.3 / 2.8.4. Commit: d66e1d568275e6a2947de97dca7a102a211e01ce.
INPUT VALIDATION

Enforce max tensor shape bounds at API ingress before passing to TF ops—reject requests with dimensions exceeding operational maximums.
API GATEWAY

Deploy rate limiting and request schema validation in front of TF Serving endpoints.
DETECTION

Monitor for abnormal OOM crashes or rapid process restarts in TF Serving logs as an indicator of exploitation attempts.
ISOLATION

Run TF Serving in containers with restart policies and resource limits to minimize availability impact.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system for high-risk AI

ISO 42001

A.9.8 - AI system vulnerability management

NIST AI RMF

GOVERN-1.7 - Processes for AI risk identification and tracking MANAGE-2.4 - Residual risks and recovery procedures

Frequently Asked Questions

What is CVE-2022-41885?

An unauthenticated remote attacker can crash any TensorFlow inference service by sending a request with an oversized tensor shape to FusedResizeAndPadConv2D, causing an integer overflow and service termination. Any internet-exposed TF Serving endpoint running image-based models is affected. Patch immediately to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 and enforce tensor shape limits at your API gateway.

Is CVE-2022-41885 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41885, increasing the risk of exploitation.

How to fix CVE-2022-41885?

1. PATCH: Upgrade TensorFlow to 2.11.0, or cherry-pick to 2.10.1 / 2.9.3 / 2.8.4. Commit: d66e1d568275e6a2947de97dca7a102a211e01ce. 2. INPUT VALIDATION: Enforce max tensor shape bounds at API ingress before passing to TF ops—reject requests with dimensions exceeding operational maximums. 3. API GATEWAY: Deploy rate limiting and request schema validation in front of TF Serving endpoints. 4. DETECTION: Monitor for abnormal OOM crashes or rapid process restarts in TF Serving logs as an indicator of exploitation attempts. 5. ISOLATION: Run TF Serving in containers with restart policies and resource limits to minimize availability impact.

What systems are affected by CVE-2022-41885?

This vulnerability affects the following AI/ML architecture patterns: model serving, image processing pipelines, training pipelines.

What is the CVSS score for CVE-2022-41885?

CVE-2022-41885 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.16%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When `tf.raw_ops.FusedResizeAndPadConv2D` is given a large tensor shape, it overflows. We have patched the issue in GitHub commit d66e1d568275e6a2947de97dca7a102a211e01ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary identifies a public-facing computer vision API (e.g., an image classification service built on TensorFlow Serving). They craft a gRPC or REST request invoking a model that uses FusedResizeAndPadConv2D with tensor shape dimensions set to values near INT32_MAX. The integer overflow triggers a crash in the serving process, causing a denial of service. If the service lacks restart supervision or resource isolation, this can result in prolonged outage. The attack requires no authentication, no ML expertise, and can be repeated to sustain the DoS.