Skip to main content

CVE-2022-21735: n/a in n/a

Medium
VulnerabilityCVE-2022-21735cvecve-2022-21735
Published: Thu Feb 03 2022 (02/03/2022, 12:53:48 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

Tensorflow is an Open Source Machine Learning Framework. The implementation of `FractionalMaxPool` can be made to crash a TensorFlow process via a division by 0. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

AI-Powered Analysis

AILast updated: 07/06/2025, 23:26:53 UTC

Technical Analysis

CVE-2022-21735 is a medium-severity vulnerability affecting the TensorFlow open-source machine learning framework. The issue arises in the implementation of the FractionalMaxPool operation, where a division by zero can be triggered, causing the TensorFlow process to crash. This vulnerability is classified under CWE-369 (Divide By Zero). The flaw does not lead to confidentiality or integrity compromise but results in a denial of service (DoS) condition by crashing the process, impacting availability. The vulnerability affects multiple supported TensorFlow versions, including 2.5.3, 2.6.3, 2.7.1, and will be fixed in 2.8.0. Exploitation requires network access and low complexity, with privileges required at the level of process execution (PR:L), but no user interaction is needed. There are no known exploits in the wild as of the published date. The CVSS v3.1 score is 6.5, reflecting a medium severity due to the impact on availability and ease of exploitation. The vulnerability is relevant to any organization using affected TensorFlow versions, especially those running machine learning workloads that utilize FractionalMaxPool, which is a pooling operation variant used in neural networks to reduce spatial dimensions. An attacker could cause denial of service by sending crafted inputs that trigger the division by zero, crashing the TensorFlow process and potentially disrupting machine learning services or pipelines.

Potential Impact

For European organizations, the impact of CVE-2022-21735 primarily concerns availability disruptions in machine learning services relying on vulnerable TensorFlow versions. Industries such as finance, healthcare, automotive, and research institutions that deploy TensorFlow for AI workloads could experience service interruptions, leading to operational delays or degraded service quality. In critical sectors like healthcare diagnostics or autonomous vehicle systems, such disruptions could have safety or compliance implications. While the vulnerability does not expose data or allow unauthorized code execution, the denial of service could be exploited to cause downtime or interrupt AI-driven decision-making processes. Organizations with automated pipelines or real-time AI inference systems are particularly at risk of operational impact. Given the increasing adoption of AI and machine learning in Europe, the vulnerability could affect a broad range of enterprises and public sector entities that depend on TensorFlow for their AI infrastructure.

Mitigation Recommendations

European organizations should promptly update TensorFlow to version 2.8.0 or apply the relevant patches backported to versions 2.5.3, 2.6.3, or 2.7.1. Where immediate patching is not feasible, organizations should implement input validation and sanitization to prevent malformed inputs that could trigger the division by zero in FractionalMaxPool. Monitoring TensorFlow process stability and setting up automated restarts or failover mechanisms can reduce downtime impact. Restricting access to TensorFlow services to trusted networks and authenticated users can limit exposure to potential attackers. Additionally, organizations should audit their machine learning pipelines to identify usage of FractionalMaxPool and assess risk exposure. Incorporating runtime protections such as container isolation and resource limits can mitigate the impact of crashes. Finally, maintaining an inventory of AI/ML frameworks and their versions will help ensure timely vulnerability management.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2021-11-16T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d981ec4522896dcbdbef0

Added to database: 5/21/2025, 9:08:46 AM

Last enriched: 7/6/2025, 11:26:53 PM

Last updated: 8/12/2025, 9:02:02 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats