CVE-2022-41900 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2022-41900 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41900, increasing the risk of exploitation.

Q: How to fix CVE-2022-41900?

1. PATCH: Upgrade to TensorFlow 2.10.1 or 2.11.0 (commit 216525144ee7c910296f5b05d214ca1327c9ce48). 2. ISOLATE: Place TensorFlow inference endpoints behind API gateways with strict input schema validation—reject requests containing non-positive or non-integer pooling_ratio values. 3. DETECT: Monitor TensorFlow serving processes for anomalous crashes or OOM termination, which may indicate exploitation attempts. 4. NETWORK: Restrict TensorFlow serving ports to trusted networks; avoid direct internet exposure of raw TensorFlow Serving endpoints. 5. AUDIT: Enumerate all environments running TensorFlow < 2.10.1 across training, serving, and evaluation workloads.

Q: What systems are affected by CVE-2022-41900?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines, ML API gateways.

Q: What is the CVSS score for CVE-2022-41900?

CVE-2022-41900 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.24%.

CISO Take

Any TensorFlow deployment exposing model inference endpoints to untrusted inputs is at risk of remote code execution—no authentication, no user interaction required. Patch to TensorFlow 2.10.1 or 2.11.0 immediately; if patching is delayed, restrict network access to inference endpoints and validate pooling parameters at the API boundary. Priority is highest for externally-facing ML serving infrastructure.

Risk Assessment

Critical risk (CVSS 9.8). The network-accessible, zero-authentication, low-complexity attack profile means any exposed TensorFlow inference endpoint is trivially exploitable. ML inference APIs are frequently internet-facing with minimal input validation, making them high-value targets. The GHSA advisory includes exploit references, and the attack requires only a malformed tensor operation with no prior foothold.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

1.2%

chance of exploitation in 30 days

Higher than 79% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.10.1 or 2.11.0 (commit 216525144ee7c910296f5b05d214ca1327c9ce48).
ISOLATE

Place TensorFlow inference endpoints behind API gateways with strict input schema validation—reject requests containing non-positive or non-integer pooling_ratio values.
DETECT

Monitor TensorFlow serving processes for anomalous crashes or OOM termination, which may indicate exploitation attempts.
NETWORK

Restrict TensorFlow serving ports to trusted networks; avoid direct internet exposure of raw TensorFlow Serving endpoints.
AUDIT

Enumerate all environments running TensorFlow < 2.10.1 across training, serving, and evaluation workloads.

Classification

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN-6.1 - Organizational risk policies for AI MANAGE-2.2 - Manage identified AI risks

Frequently Asked Questions

What is CVE-2022-41900?

Any TensorFlow deployment exposing model inference endpoints to untrusted inputs is at risk of remote code execution—no authentication, no user interaction required. Patch to TensorFlow 2.10.1 or 2.11.0 immediately; if patching is delayed, restrict network access to inference endpoints and validate pooling parameters at the API boundary. Priority is highest for externally-facing ML serving infrastructure.

Is CVE-2022-41900 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41900, increasing the risk of exploitation.

How to fix CVE-2022-41900?

1. PATCH: Upgrade to TensorFlow 2.10.1 or 2.11.0 (commit 216525144ee7c910296f5b05d214ca1327c9ce48). 2. ISOLATE: Place TensorFlow inference endpoints behind API gateways with strict input schema validation—reject requests containing non-positive or non-integer pooling_ratio values. 3. DETECT: Monitor TensorFlow serving processes for anomalous crashes or OOM termination, which may indicate exploitation attempts. 4. NETWORK: Restrict TensorFlow serving ports to trusted networks; avoid direct internet exposure of raw TensorFlow Serving endpoints. 5. AUDIT: Enumerate all environments running TensorFlow < 2.10.1 across training, serving, and evaluation workloads.

What systems are affected by CVE-2022-41900?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines, ML API gateways.

What is the CVSS score for CVE-2022-41900?

CVE-2022-41900 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.24%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

Exploitation Scenario

An adversary identifies an organization's ML inference API (e.g., TensorFlow Serving, a FastAPI wrapper, or Vertex AI custom container) that processes user-submitted model requests. By crafting a malicious HTTP request containing a FractionalMaxPool or FractionalAvgPool operation with an illegal pooling_ratio—such as a zero or negative value—the attacker triggers heap out-of-bounds access on the inference server. A carefully shaped payload achieves full RCE on the host, enabling extraction of model weights, environment secrets, API keys resident in memory, or lateral movement to internal ML infrastructure. Zero prerequisites: no account, no session, exploitable over standard HTTP from the internet.