CVE-2022-41890 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

An unauthenticated remote attacker can crash any TensorFlow inference service by sending tensor inputs with dimensions exceeding int32 range—no credentials or interaction required. Availability impact is total for affected services; patch immediately to TF 2.11, 2.10.1, 2.9.3, or 2.8.4. If patching is not immediate, enforce strict input shape validation at the API gateway layer.

Risk Assessment

CVSS 7.5 HIGH with network-accessible, zero-auth, low-complexity exploitation makes this trivially weaponizable against any exposed TF endpoint. The blast radius is limited to availability (no data exfiltration risk), but a crashed inference service is a full outage for dependent applications. Not in CISA KEV and no known active exploitation, but the exploit primitive is simple enough to integrate into denial-of-service tooling targeting ML infrastructure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 33% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit 8310bf8).
Input validation: reject tensor dimensions exceeding 2^31−1 (2,147,483,647) at the application layer before they reach TF ops.
Network controls: ensure TF Serving and model API endpoints are not directly internet-exposed; place behind API gateway with schema validation.
Detection: monitor for process crashes or abrupt restarts in TF serving containers—anomalous restart spikes may indicate exploitation attempts.
Consider containerizing inference workloads with resource limits and auto-restart policies to minimize DoS impact.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.5 - AI system availability and resilience

NIST AI RMF

MANAGE-2.4 - Residual risks and impacts are managed

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2022-41890?

An unauthenticated remote attacker can crash any TensorFlow inference service by sending tensor inputs with dimensions exceeding int32 range—no credentials or interaction required. Availability impact is total for affected services; patch immediately to TF 2.11, 2.10.1, 2.9.3, or 2.8.4. If patching is not immediate, enforce strict input shape validation at the API gateway layer.

Is CVE-2022-41890 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41890, increasing the risk of exploitation.

How to fix CVE-2022-41890?

1. Patch: upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit 8310bf8). 2. Input validation: reject tensor dimensions exceeding 2^31−1 (2,147,483,647) at the application layer before they reach TF ops. 3. Network controls: ensure TF Serving and model API endpoints are not directly internet-exposed; place behind API gateway with schema validation. 4. Detection: monitor for process crashes or abrupt restarts in TF serving containers—anomalous restart spikes may indicate exploitation attempts. 5. Consider containerizing inference workloads with resource limits and auto-restart policies to minimize DoS impact.

What systems are affected by CVE-2022-41890?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, batch processing pipelines.

What is the CVSS score for CVE-2022-41890?

CVE-2022-41890 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.14%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. If `BCast::ToShape` is given input larger than an `int32`, it will crash, despite being supposed to handle up to an `int64`. An example can be seen in `tf.experimental.numpy.outer` by passing in large input to the input `b`. We have patched the issue in GitHub commit 8310bf8dd188ff780e7fc53245058215a05bdbe5. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary identifies a public-facing model inference API backed by TensorFlow (e.g., via HTTP headers, error messages, or job postings referencing the stack). They craft a POST request to the prediction endpoint with a tensor shape containing a dimension value of 2^32 or larger. The server-side call to `BCast::ToShape` performs a narrowing cast from int64 to int32, triggering a crash. The inference pod restarts, causing a service outage. In a shared multi-tenant ML platform, this can be used to repeatedly disrupt other tenants' inference services with minimal effort.