CVE-2022-35989 is a medium-severity vulnerability in TensorFlow, an open-source machine learning platform widely used for developing and deploying ML models. The issue arises in the GPU kernel implementation of the MaxPool operation, which performs max pooling on input tensors. Specifically, when the window size input array `ksize` has dimensions larger than the input tensor `input`, the GPU kernel triggers a `CHECK` failure, resulting in a reachable assertion failure (CWE-617). This assertion failure causes the process to terminate unexpectedly, leading to a denial of service (DoS) condition. The vulnerability affects TensorFlow versions prior to 2.7.2, as well as versions 2.8.0 up to but not including 2.8.1, and 2.9.0 up to but not including 2.9.1. The issue has been patched in TensorFlow 2.10.0 and backported to supported versions 2.7.2, 2.8.1, and 2.9.1. No known workarounds exist, and exploitation requires feeding malformed input parameters to the MaxPool operation, which could be done by an attacker with the ability to submit or influence input data to a TensorFlow-based service or application. There are no reports of active exploitation in the wild. The vulnerability impacts the availability of the affected system by causing crashes but does not directly compromise confidentiality or integrity. The root cause is improper validation of input dimensions leading to an assertion failure in GPU kernel code.

For European organizations leveraging TensorFlow in their machine learning pipelines, especially those deploying models in production environments or offering ML-as-a-service, this vulnerability poses a risk of denial of service. An attacker able to supply crafted inputs to the MaxPool operation could cause service interruptions or crashes, potentially impacting business continuity and availability of critical AI-driven applications. Industries such as finance, healthcare, automotive, and manufacturing in Europe that increasingly rely on AI/ML for decision-making, automation, or customer-facing services could face operational disruptions. While the vulnerability does not allow data exfiltration or code execution, repeated or targeted DoS attacks could degrade service reliability and damage organizational reputation. Additionally, organizations using GPU-accelerated TensorFlow models in cloud or on-premises environments must be aware that this vulnerability specifically affects GPU kernel code, which is common in high-performance ML workloads. The lack of known workarounds means patching is the primary remediation method to maintain service availability and resilience.

European organizations should prioritize upgrading TensorFlow installations to version 2.10.0 or later, or apply the backported patches available in versions 2.7.2, 2.8.1, and 2.9.1 as soon as possible. Since no workarounds exist, patch management is critical. Additionally, organizations should audit their ML pipelines to identify any external or untrusted inputs that could influence the `ksize` parameter in MaxPool operations and implement input validation or sanitization at the application layer to prevent malformed inputs from reaching TensorFlow. Monitoring and alerting on unexpected TensorFlow process crashes or GPU kernel failures can help detect exploitation attempts. For cloud deployments, consider isolating TensorFlow workloads and applying rate limiting or input filtering to reduce exposure. Finally, organizations should review their incident response plans to include scenarios involving ML service disruptions and ensure that backup and failover mechanisms are in place to maintain availability during potential DoS events.