CVE-2022-41901 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow inference endpoint accepting user-supplied sparse tensor inputs is vulnerable to unauthenticated crash via a malformed rank-0 sparse matrix — no auth, no complexity barrier. This is a service availability threat for production ML serving deployments. Patch to TF 2.11/2.10.1/2.9.3/2.8.4 immediately and enforce input shape validation at the API boundary as a defense-in-depth measure.

Risk Assessment

High availability risk for exposed TF Serving deployments. CVSS 7.5 reflects network-accessible (AV:N), zero-complexity (AC:L), no-auth (PR:N) exploitation with full availability impact. The attack surface is any inference endpoint that processes sparse matrix operations without input sanitization. No confidentiality or integrity impact limits blast radius to DoS, but repeated crashes can take down ML-powered production services. Not observed in active exploitation campaigns (not in KEV), but trivial to reproduce from the public advisory PoC.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 56% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

PATCH

Upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 — all contain the fix at commit f856d02.
INPUT VALIDATION

Add pre-processing guards that validate tensor rank >= 2 before passing to any SparseMatrix ops; reject rank-0 inputs at the API boundary with HTTP 400.
PROCESS ISOLATION

Run TF Serving in separate containers per model so a crash does not affect unrelated services; configure restart policies (e.g., Docker --restart=always).
RATE LIMITING

Apply rate limiting on inference endpoints to reduce DoS amplification surface.
DETECTION

Alert on repeated TF Serving process crashes or CHECK failure log patterns containing 'SparseMatrixNNZ' or 'sparse_matrix.h'.
INVENTORY

Audit which deployed models use sparse matrix operations (tf.SparseTensor, tf.sparse.*, SparseMatrixNNZ) to scope exposure.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems MEASURE-2.5 - AI system to be deployed undergoes testing for robustness

Frequently Asked Questions

What is CVE-2022-41901?

Any TensorFlow inference endpoint accepting user-supplied sparse tensor inputs is vulnerable to unauthenticated crash via a malformed rank-0 sparse matrix — no auth, no complexity barrier. This is a service availability threat for production ML serving deployments. Patch to TF 2.11/2.10.1/2.9.3/2.8.4 immediately and enforce input shape validation at the API boundary as a defense-in-depth measure.

Is CVE-2022-41901 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-41901, increasing the risk of exploitation.

How to fix CVE-2022-41901?

1. PATCH: Upgrade to TensorFlow 2.11, 2.10.1, 2.9.3, or 2.8.4 — all contain the fix at commit f856d02. 2. INPUT VALIDATION: Add pre-processing guards that validate tensor rank >= 2 before passing to any SparseMatrix ops; reject rank-0 inputs at the API boundary with HTTP 400. 3. PROCESS ISOLATION: Run TF Serving in separate containers per model so a crash does not affect unrelated services; configure restart policies (e.g., Docker --restart=always). 4. RATE LIMITING: Apply rate limiting on inference endpoints to reduce DoS amplification surface. 5. DETECTION: Alert on repeated TF Serving process crashes or CHECK failure log patterns containing 'SparseMatrixNNZ' or 'sparse_matrix.h'. 6. INVENTORY: Audit which deployed models use sparse matrix operations (tf.SparseTensor, tf.sparse.*, SparseMatrixNNZ) to scope exposure.

What systems are affected by CVE-2022-41901?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, batch inference pipelines.

What is the CVSS score for CVE-2022-41901?

CVE-2022-41901 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.33%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. An input `sparse_matrix` that is not a matrix with a shape with rank 0 will trigger a `CHECK` fail in `tf.raw_ops.SparseMatrixNNZ`. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary identifies a public-facing TensorFlow Serving endpoint (e.g., via Shodan scanning for port 8501/8500 or reviewing API documentation). Using the public GitHub advisory PoC, they craft a gRPC or REST inference request containing a SparseTensor with shape rank=0 (scalar rather than 2D matrix). When the request reaches tf.raw_ops.SparseMatrixNNZ, the kernel's CHECK assertion fires and the serving process crashes with a SIGABRT. With zero authentication required and trivial request construction, the adversary automates this in a loop — sending one malformed request every few seconds — effectively keeping the inference service permanently unavailable. This disrupts any downstream application relying on the ML endpoint, such as fraud detection, content moderation, or recommendation engines.