CVE-2022-41896: TensorFlow DoS — HIGH

CISO Take

A network-reachable crash in TensorFlow requires zero authentication — an attacker sends a single malformed request with an oversized integer parameter and the serving process terminates. Any team running TensorFlow Serving APIs where untrusted users control input parameters is exposed. Patch to TF 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately and add API gateway bounds-checking as a compensating control until patched.

What is the risk?

CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) makes this near-zero-effort exploitation against exposed TensorFlow endpoints. Impact is pure availability — no data exfiltration or model compromise, but a crashed serving process means complete inference downtime. Risk is elevated for multi-tenant ML platforms and cloud AI endpoints where external users submit inference requests. Not in CISA KEV and exploit complexity is trivial (no AI/ML knowledge required), meaning opportunistic attackers can weaponize this without understanding TensorFlow internals.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

6 steps

Patch: Upgrade TensorFlow to 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860).
Input validation: Enforce hard upper bounds on all integer parameters before passing to TF ops — do not rely on TensorFlow's internal validation.
API gateway: Deploy rate-limiting and schema validation that rejects out-of-range numeric fields at the perimeter.
Process resilience: Run TF Serving under supervisors with auto-restart (Kubernetes liveness probes, systemd Restart=always) to minimize MTTR on crash.
Least privilege: Ensure serving processes run as unprivileged users isolated from sensitive workloads.
Detection: Alert on unexpected TF Serving process restarts, pod crash loops, or 5xx error spikes correlated with specific op invocations.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.2 - AI system availability and resilience

NIST AI RMF

MANAGE-2.2 - Reliable and robust AI system operation

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2022-41896?

A network-reachable crash in TensorFlow requires zero authentication — an attacker sends a single malformed request with an oversized integer parameter and the serving process terminates. Any team running TensorFlow Serving APIs where untrusted users control input parameters is exposed. Patch to TF 2.11, 2.10.1, 2.9.3, or 2.8.4 immediately and add API gateway bounds-checking as a compensating control until patched.

Is CVE-2022-41896 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41896, increasing the risk of exploitation.

How to fix CVE-2022-41896?

1. Patch: Upgrade TensorFlow to 2.11, 2.10.1, 2.9.3, or 2.8.4 (commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860). 2. Input validation: Enforce hard upper bounds on all integer parameters before passing to TF ops — do not rely on TensorFlow's internal validation. 3. API gateway: Deploy rate-limiting and schema validation that rejects out-of-range numeric fields at the perimeter. 4. Process resilience: Run TF Serving under supervisors with auto-restart (Kubernetes liveness probes, systemd Restart=always) to minimize MTTR on crash. 5. Least privilege: Ensure serving processes run as unprivileged users isolated from sensitive workloads. 6. Detection: Alert on unexpected TF Serving process restarts, pod crash loops, or 5xx error spikes correlated with specific op invocations.

What systems are affected by CVE-2022-41896?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML inference endpoints, training pipelines, NLP embedding pipelines, image preprocessing pipelines.

What is the CVSS score for CVE-2022-41896?

CVE-2022-41896 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.44%.

What is the AI security impact?

Affected AI Architectures

model servingML inference endpointstraining pipelinesNLP embedding pipelinesimage preprocessing pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.10.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM10:2025

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. If `ThreadUnsafeUnigramCandidateSampler` is given input `filterbank_channel_count` greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker discovers a TensorFlow Serving endpoint via Shodan, leaked API documentation, or a misconfigured cloud load balancer. They craft a gRPC PredictRequest or REST inference call targeting a model graph that includes the UnigramCandidateSampler or MirrorPad op, supplying a filterbank_channel_count value exceeding the internal maximum (no reverse engineering needed — the vulnerable parameter name is public via the CVE). TensorFlow crashes instantly. In a Kubernetes deployment without liveness probes configured, the pod stays down indefinitely. In a single-node serving setup, this takes the entire ML API offline. Repeated requests at low frequency maintain denial-of-service while evading rate-limit thresholds. No credentials, no payload crafting, no AI knowledge required.

Weaknesses (CWE)

CWE-1284 Improper Validation of Specified Quantity in Input Primary CWE-20 Improper Input Validation

CWE-1284 — Improper Validation of Specified Quantity in Input: The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis

Source: MITRE CWE corpus.