AI Threat Alert

CVE-2022-41901: TensorFlow: DoS via SparseMatrixNNZ CHECK assertion fail

HIGH PoC AVAILABLE
Published November 18, 2022
CISO Take

Any TensorFlow inference endpoint accepting user-supplied sparse tensor inputs is vulnerable to unauthenticated crash via a malformed rank-0 sparse matrix — no auth, no complexity barrier. This is a service availability threat for production ML serving deployments. Patch to TF 2.11/2.10.1/2.9.3/2.8.4 immediately and enforce input shape validation at the API boundary as a defense-in-depth measure.

What is the risk?

High availability risk for exposed TF Serving deployments. CVSS 7.5 reflects network-accessible (AV:N), zero-complexity (AC:L), no-auth (PR:N) exploitation with full availability impact. The attack surface is any inference endpoint that processes sparse matrix operations without input sanitization. No confidentiality or integrity impact limits blast radius to DoS, but repeated crashes can take down ML-powered production services. Not observed in active exploitation campaigns (not in KEV), but trivial to reproduce from the public advisory PoC.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 4d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 36% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

6 steps

  1. PATCH

    Upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 — all contain the fix at commit f856d02.

  2. INPUT VALIDATION

    Add pre-processing guards that validate tensor rank >= 2 before passing to any SparseMatrix ops; reject rank-0 inputs at the API boundary with HTTP 400.

  3. PROCESS ISOLATION

    Run TF Serving in separate containers per model so a crash does not affect unrelated services; configure restart policies (e.g., Docker --restart=always).

  4. RATE LIMITING

    Apply rate limiting on inference endpoints to reduce DoS amplification surface.

  5. DETECTION

    Alert on repeated TF Serving process crashes or CHECK failure log patterns containing 'SparseMatrixNNZ' or 'sparse_matrix.h'.

  6. INVENTORY

    Audit which deployed models use sparse matrix operations (tf.SparseTensor, tf.sparse.*, SparseMatrixNNZ) to scope exposure.

How is it classified?

DoS Framework Inference AML.T0029 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems MEASURE-2.5 - AI system to be deployed undergoes testing for robustness

Frequently Asked Questions

What is CVE-2022-41901?

Any TensorFlow inference endpoint accepting user-supplied sparse tensor inputs is vulnerable to unauthenticated crash via a malformed rank-0 sparse matrix — no auth, no complexity barrier. This is a service availability threat for production ML serving deployments. Patch to TF 2.11/2.10.1/2.9.3/2.8.4 immediately and enforce input shape validation at the API boundary as a defense-in-depth measure.

Is CVE-2022-41901 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41901, increasing the risk of exploitation.

How to fix CVE-2022-41901?

1. PATCH: Upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 — all contain the fix at commit f856d02. 2. INPUT VALIDATION: Add pre-processing guards that validate tensor rank >= 2 before passing to any SparseMatrix ops; reject rank-0 inputs at the API boundary with HTTP 400. 3. PROCESS ISOLATION: Run TF Serving in separate containers per model so a crash does not affect unrelated services; configure restart policies (e.g., Docker --restart=always). 4. RATE LIMITING: Apply rate limiting on inference endpoints to reduce DoS amplification surface. 5. DETECTION: Alert on repeated TF Serving process crashes or CHECK failure log patterns containing 'SparseMatrixNNZ' or 'sparse_matrix.h'. 6. INVENTORY: Audit which deployed models use sparse matrix operations (tf.SparseTensor, tf.sparse.*, SparseMatrixNNZ) to scope exposure.

What systems are affected by CVE-2022-41901?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, batch inference pipelines.

What is the CVSS score for CVE-2022-41901?

CVE-2022-41901 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.45%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesbatch inference pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 6.1.2, 8.4
NIST AI RMF: MANAGE-2.2, MEASURE-2.5

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. An input `sparse_matrix` that is not a matrix with a shape with rank 0 will trigger a `CHECK` fail in `tf.raw_ops.SparseMatrixNNZ`. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary identifies a public-facing TensorFlow Serving endpoint (e.g., via Shodan scanning for port 8501/8500 or reviewing API documentation). Using the public GitHub advisory PoC, they craft a gRPC or REST inference request containing a SparseTensor with shape rank=0 (scalar rather than 2D matrix). When the request reaches tf.raw_ops.SparseMatrixNNZ, the kernel's CHECK assertion fires and the serving process crashes with a SIGABRT. With zero authentication required and trivial request construction, the adversary automates this in a loop — sending one malformed request every few seconds — effectively keeping the inference service permanently unavailable. This disrupts any downstream application relying on the ML endpoint, such as fraud detection, content moderation, or recommendation engines.

Weaknesses (CWE)

CWE-617 Reachable Assertion Primary CWE-20 Improper Input Validation

CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

  • [Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
  • [Implementation] Perform input validation on user data.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
November 18, 2022
Last Modified
November 21, 2024
First Seen
November 18, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed