AI Threat Alert

CVE-2022-41911: TensorFlow: type confusion DoS via bool cast in tensors

HIGH
Published November 18, 2022
CISO Take

Any TensorFlow deployment exposing model inference or serving endpoints is potentially vulnerable to a crash triggered by crafted tensor data containing non-standard byte values. The attack requires no authentication and operates over the network (CVSS 7.5). Patch to TensorFlow 2.11.0, 2.10.1, 2.9.3, or 2.8.4 immediately; prioritize internet-facing inference APIs.

What is the risk?

High priority for externally-exposed TensorFlow serving endpoints due to the zero-auth network vector. Exploitation achieves only DoS — no data exfiltration or code execution — but sustained crashes against ML inference APIs can halt production AI services. The undefined behavior (CWE-704) may manifest inconsistently across compiler versions and platforms, but the attack surface is broad given TensorFlow's prevalence. Not in CISA KEV and no known active exploitation as of publication, reducing urgency slightly.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 31% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade TensorFlow to 2.11.0, 2.10.1, 2.9.3, or 2.8.4 depending on your deployed branch.

  2. Workaround: If patching is blocked, restrict network access to TF Serving endpoints via firewall rules and require authentication proxies in front of inference APIs.

  3. Input validation: Add pre-processing guards to reject tensor inputs with unexpected byte patterns before they reach TF runtime.

  4. Detection: Monitor for unexpected TF process crashes or sanitizer output in application logs; alert on serving pod restarts.

  5. Audit: Inventory all internal services consuming TensorFlow as a dependency — build systems, MLOps pipelines, and notebook servers are often overlooked.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.6.2 - AI system operation and monitoring
NIST AI RMF
MANAGE-2.2 - Risks from third-party entities are managed
OWASP LLM Top 10
LLM04 - Model Denial of Service LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-41911?

Any TensorFlow deployment exposing model inference or serving endpoints is potentially vulnerable to a crash triggered by crafted tensor data containing non-standard byte values. The attack requires no authentication and operates over the network (CVSS 7.5). Patch to TensorFlow 2.11.0, 2.10.1, 2.9.3, or 2.8.4 immediately; prioritize internet-facing inference APIs.

Is CVE-2022-41911 actively exploited?

No confirmed active exploitation of CVE-2022-41911 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-41911?

1. Patch: Upgrade TensorFlow to 2.11.0, 2.10.1, 2.9.3, or 2.8.4 depending on your deployed branch. 2. Workaround: If patching is blocked, restrict network access to TF Serving endpoints via firewall rules and require authentication proxies in front of inference APIs. 3. Input validation: Add pre-processing guards to reject tensor inputs with unexpected byte patterns before they reach TF runtime. 4. Detection: Monitor for unexpected TF process crashes or sanitizer output in application logs; alert on serving pod restarts. 5. Audit: Inventory all internal services consuming TensorFlow as a dependency — build systems, MLOps pipelines, and notebook servers are often overlooked.

What systems are affected by CVE-2022-41911?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference endpoints, ML development environments.

What is the CVSS score for CVE-2022-41911?

CVE-2022-41911 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.40%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference endpointsML development environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM04, LLM05

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from `char` to `bool` are undefined if the `char` is not `0` or `1`, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary sends a crafted REST request to an exposed TensorFlow Serving endpoint, embedding a boolean tensor payload where byte values are not 0 or 1 (e.g., 0xFF). When TensorFlow attempts to print or log the tensor during debug output or error handling, the undefined char-to-bool cast crashes the serving process. In a Kubernetes-based MLOps environment, this can be chained into a sustained denial of service: the adversary loops requests, crashing inference pods faster than the autoscaler can replace them, taking the model API offline without any credentials.

Weaknesses (CWE)

CWE-704 Incorrect Type Conversion or Cast

CWE-704 — Incorrect Type Conversion or Cast: The product does not correctly convert an object, resource, or structure from one type to a different type.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
November 18, 2022
Last Modified
November 21, 2024
First Seen
November 18, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed