CVE-2022-41911 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment exposing model inference or serving endpoints is potentially vulnerable to a crash triggered by crafted tensor data containing non-standard byte values. The attack requires no authentication and operates over the network (CVSS 7.5). Patch to TensorFlow 2.11.0, 2.10.1, 2.9.3, or 2.8.4 immediately; prioritize internet-facing inference APIs.

Risk Assessment

High priority for externally-exposed TensorFlow serving endpoints due to the zero-auth network vector. Exploitation achieves only DoS — no data exfiltration or code execution — but sustained crashes against ML inference APIs can halt production AI services. The undefined behavior (CWE-704) may manifest inconsistently across compiler versions and platforms, but the attack surface is broad given TensorFlow's prevalence. Not in CISA KEV and no known active exploitation as of publication, reducing urgency slightly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade TensorFlow to 2.11.0, 2.10.1, 2.9.3, or 2.8.4 depending on your deployed branch.
Workaround: If patching is blocked, restrict network access to TF Serving endpoints via firewall rules and require authentication proxies in front of inference APIs.
Input validation: Add pre-processing guards to reject tensor inputs with unexpected byte patterns before they reach TF runtime.
Detection: Monitor for unexpected TF process crashes or sanitizer output in application logs; alert on serving pod restarts.
Audit: Inventory all internal services consuming TensorFlow as a dependency — build systems, MLOps pipelines, and notebook servers are often overlooked.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.2 - AI system operation and monitoring

NIST AI RMF

MANAGE-2.2 - Risks from third-party entities are managed

OWASP LLM Top 10

LLM04 - Model Denial of Service LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-41911?

Any TensorFlow deployment exposing model inference or serving endpoints is potentially vulnerable to a crash triggered by crafted tensor data containing non-standard byte values. The attack requires no authentication and operates over the network (CVSS 7.5). Patch to TensorFlow 2.11.0, 2.10.1, 2.9.3, or 2.8.4 immediately; prioritize internet-facing inference APIs.

Is CVE-2022-41911 actively exploited?

No confirmed active exploitation of CVE-2022-41911 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-41911?

1. Patch: Upgrade TensorFlow to 2.11.0, 2.10.1, 2.9.3, or 2.8.4 depending on your deployed branch. 2. Workaround: If patching is blocked, restrict network access to TF Serving endpoints via firewall rules and require authentication proxies in front of inference APIs. 3. Input validation: Add pre-processing guards to reject tensor inputs with unexpected byte patterns before they reach TF runtime. 4. Detection: Monitor for unexpected TF process crashes or sanitizer output in application logs; alert on serving pod restarts. 5. Audit: Inventory all internal services consuming TensorFlow as a dependency — build systems, MLOps pipelines, and notebook servers are often overlooked.

What systems are affected by CVE-2022-41911?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference endpoints, ML development environments.

What is the CVSS score for CVE-2022-41911?

CVE-2022-41911 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.15%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from `char` to `bool` are undefined if the `char` is not `0` or `1`, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary sends a crafted REST request to an exposed TensorFlow Serving endpoint, embedding a boolean tensor payload where byte values are not 0 or 1 (e.g., 0xFF). When TensorFlow attempts to print or log the tensor during debug output or error handling, the undefined char-to-bool cast crashes the serving process. In a Kubernetes-based MLOps environment, this can be chained into a sustained denial of service: the adversary loops requests, crashing inference pods faster than the autoscaler can replace them, taking the model API offline without any credentials.