CVE-2022-41889 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

TensorFlow's legacy v1 API crashes when processing quantized tensor inputs in certain operations, enabling unauthenticated remote denial-of-service against inference endpoints. If your ML serving infrastructure exposes TensorFlow APIs that accept user-controlled inputs, treat this as urgent: patch to TF 2.11, 2.10.1, 2.9.3, or 2.8.4. No exploit code execution is possible, but inference service availability is at direct risk.

Risk Assessment

Medium-high for organizations with externally exposed TensorFlow inference APIs. CVSS 7.5 with no authentication or user interaction required makes this trivially weaponizable for DoS. The blast radius is limited to availability—no data exfiltration or code execution pathway exists. Risk is amplified in production ML serving environments where uptime SLAs apply. Not in CISA KEV and from 2022 reduces urgency for well-patched environments, but legacy TF deployments remain common in enterprise.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 30% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit e9e95553).
VALIDATE INPUTS

Add an input validation layer rejecting quantized tensor types (DT_QINT8, DT_QUINT8, DT_QINT16, etc.) before routing to volume patch operations.
ISOLATE

If patching is blocked, place inference endpoints behind an authenticated API gateway—reduce the no-auth attack surface.
DETECT

Monitor TF serving processes for unexpected crashes or SIGABRT signals; alert on pod restarts in Kubernetes TF deployments.
AUDIT

Inventory all TF versions in production via container image scanning; prioritize any service using tf.compat.v1 APIs.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM10 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-41889?

TensorFlow's legacy v1 API crashes when processing quantized tensor inputs in certain operations, enabling unauthenticated remote denial-of-service against inference endpoints. If your ML serving infrastructure exposes TensorFlow APIs that accept user-controlled inputs, treat this as urgent: patch to TF 2.11, 2.10.1, 2.9.3, or 2.8.4. No exploit code execution is possible, but inference service availability is at direct risk.

Is CVE-2022-41889 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41889, increasing the risk of exploitation.

How to fix CVE-2022-41889?

1. PATCH: Upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit e9e95553). 2. VALIDATE INPUTS: Add an input validation layer rejecting quantized tensor types (DT_QINT8, DT_QUINT8, DT_QINT16, etc.) before routing to volume patch operations. 3. ISOLATE: If patching is blocked, place inference endpoints behind an authenticated API gateway—reduce the no-auth attack surface. 4. DETECT: Monitor TF serving processes for unexpected crashes or SIGABRT signals; alert on pod restarts in Kubernetes TF deployments. 5. AUDIT: Inventory all TF versions in production via container image scanning; prioritize any service using tf.compat.v1 APIs.

What systems are affected by CVE-2022-41889?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines, batch inference systems.

What is the CVSS score for CVE-2022-41889?

CVE-2022-41889 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.12%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a `nullptr`, which is not caught. An example can be seen in `tf.compat.v1.extract_volume_patches` by passing in quantized tensors as input `ksizes`. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary identifies a public-facing TensorFlow Model Server or custom inference API endpoint. They craft an HTTP POST request with a quantized tensor (e.g., DT_QINT8) passed as the ksizes parameter to extract_volume_patches via the pywrap layer. TensorFlow's Python-C++ binding fails to parse the quantized type, returns a nullptr, and the uncaught null dereference crashes the serving process. On containerized deployments without restart policies, this takes the inference service offline. An attacker can automate this in a loop to maintain denial of service with minimal resources—no special AI/ML knowledge required, just knowledge of the TF API schema.