AI Threat Alert AI Threat Alert

CVE-2022-41896: TensorFlow: DoS via oversized filterbank_channel_count

HIGH PoC AVAILABLE CISA: TRACK*
Published November 18, 2022
CISO Take

A network-reachable crash in TensorFlow requires zero authentication — an attacker sends a single malformed request with an oversized integer parameter and the serving process terminates. Any team running TensorFlow Serving APIs where untrusted users control input parameters is exposed. Patch to TF 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately and add API gateway bounds-checking as a compensating control until patched.

Risk Assessment

CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) makes this near-zero-effort exploitation against exposed TensorFlow endpoints. Impact is pure availability — no data exfiltration or model compromise, but a crashed serving process means complete inference downtime. Risk is elevated for multi-tenant ML platforms and cloud AI endpoints where external users submit inference requests. Not in CISA KEV and exploit complexity is trivial (no AI/ML knowledge required), meaning opportunistic attackers can weaponize this without understanding TensorFlow internals.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 39% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

6 steps

  1. Patch: Upgrade TensorFlow to 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860).

  2. Input validation: Enforce hard upper bounds on all integer parameters before passing to TF ops — do not rely on TensorFlow's internal validation.

  3. API gateway: Deploy rate-limiting and schema validation that rejects out-of-range numeric fields at the perimeter.

  4. Process resilience: Run TF Serving under supervisors with auto-restart (Kubernetes liveness probes, systemd Restart=always) to minimize MTTR on crash.

  5. Least privilege: Ensure serving processes run as unprivileged users isolated from sensitive workloads.

  6. Detection: Alert on unexpected TF Serving process restarts, pod crash loops, or 5xx error spikes correlated with specific op invocations.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 AML.T0034 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.2 - AI system availability and resilience
NIST AI RMF
MANAGE-2.2 - Reliable and robust AI system operation
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2022-41896?

A network-reachable crash in TensorFlow requires zero authentication — an attacker sends a single malformed request with an oversized integer parameter and the serving process terminates. Any team running TensorFlow Serving APIs where untrusted users control input parameters is exposed. Patch to TF 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately and add API gateway bounds-checking as a compensating control until patched.

Is CVE-2022-41896 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41896, increasing the risk of exploitation.

How to fix CVE-2022-41896?

1. Patch: Upgrade TensorFlow to 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860). 2. Input validation: Enforce hard upper bounds on all integer parameters before passing to TF ops — do not rely on TensorFlow's internal validation. 3. API gateway: Deploy rate-limiting and schema validation that rejects out-of-range numeric fields at the perimeter. 4. Process resilience: Run TF Serving under supervisors with auto-restart (Kubernetes liveness probes, systemd Restart=always) to minimize MTTR on crash. 5. Least privilege: Ensure serving processes run as unprivileged users isolated from sensitive workloads. 6. Detection: Alert on unexpected TF Serving process restarts, pod crash loops, or 5xx error spikes correlated with specific op invocations.

What systems are affected by CVE-2022-41896?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML inference endpoints, training pipelines, NLP embedding pipelines, image preprocessing pipelines.

What is the CVSS score for CVE-2022-41896?

CVE-2022-41896 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.18%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. If `ThreadUnsafeUnigramCandidateSampler` is given input `filterbank_channel_count` greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker discovers a TensorFlow Serving endpoint via Shodan, leaked API documentation, or a misconfigured cloud load balancer. They craft a gRPC PredictRequest or REST inference call targeting a model graph that includes the UnigramCandidateSampler or MirrorPad op, supplying a filterbank_channel_count value exceeding the internal maximum (no reverse engineering needed — the vulnerable parameter name is public via the CVE). TensorFlow crashes instantly. In a Kubernetes deployment without liveness probes configured, the pod stays down indefinitely. In a single-node serving setup, this takes the entire ML API offline. Repeated requests at low frequency maintain denial-of-service while evading rate-limit thresholds. No credentials, no payload crafting, no AI knowledge required.

Weaknesses (CWE)

CWE-1284 Primary CWE-20

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
November 18, 2022
Last Modified
November 21, 2024
First Seen
November 18, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed