CVE-2022-35997 is a medium-severity vulnerability in TensorFlow, an open-source machine learning platform widely used for developing and deploying machine learning models. The vulnerability arises from a reachable assertion failure (CWE-617) within the function tf.sparse.cross when it receives a non-scalar input for the 'separator' parameter. Specifically, if the 'separator' argument is not a scalar value as expected, the function triggers a CHECK failure, causing the program to abort unexpectedly. This behavior can be exploited to cause a denial of service (DoS) by crashing the TensorFlow process. The issue affects multiple TensorFlow versions: all versions prior to 2.7.2, versions from 2.8.0 up to but not including 2.8.1, and versions from 2.9.0 up to but not including 2.9.1. The vulnerability has been patched in TensorFlow 2.10.0 and backported to supported versions 2.7.2, 2.8.1, and 2.9.1. There are no known workarounds, and no exploits have been observed in the wild to date. The vulnerability requires that the attacker can supply crafted inputs to the tf.sparse.cross function, which is typically used in machine learning workflows involving sparse tensor operations. Because the vulnerability triggers an assertion failure, it impacts availability by crashing the TensorFlow process, but does not directly compromise confidentiality or integrity. Exploitation does not require authentication but does require the ability to influence the input parameters to TensorFlow operations, which may be limited depending on deployment context. The patch involves input validation to ensure the 'separator' parameter is a scalar, preventing the assertion failure.

For European organizations, the primary impact of CVE-2022-35997 is the potential for denial of service in machine learning systems that utilize vulnerable TensorFlow versions. Organizations relying on TensorFlow for critical AI/ML workloads—such as financial institutions performing fraud detection, healthcare providers analyzing medical data, or manufacturing firms using predictive maintenance—may experience service disruptions if an attacker supplies malformed inputs to vulnerable functions. While the vulnerability does not lead to data leakage or unauthorized code execution, the availability impact can interrupt automated processes, delay decision-making, and degrade service quality. In environments where TensorFlow is integrated into larger pipelines or exposed via APIs, attackers with input access could trigger crashes, causing downtime or requiring manual intervention. Given the increasing reliance on AI/ML in European industries, even temporary outages could have operational and reputational consequences. However, the lack of known exploits and the requirement for specific input manipulation somewhat limit the immediate risk. Organizations with strict uptime requirements or those deploying TensorFlow in multi-tenant or exposed environments should prioritize remediation to avoid potential disruption.

European organizations should take the following specific mitigation steps beyond generic patching advice: 1) Inventory all TensorFlow deployments and identify versions affected by this vulnerability, including embedded or containerized environments. 2) Upgrade TensorFlow to version 2.10.0 or later, or apply backported patches to supported versions 2.7.2, 2.8.1, or 2.9.1 as appropriate. 3) Implement input validation at the application layer to ensure that inputs to tf.sparse.cross and related functions enforce scalar constraints on the 'separator' parameter, reducing risk if patching is delayed. 4) For exposed ML inference services, apply strict input sanitization and limit access to trusted users or systems to prevent malicious input injection. 5) Monitor TensorFlow logs and application behavior for unexpected crashes or assertion failures that may indicate attempted exploitation. 6) Incorporate vulnerability scanning and dependency management tools into CI/CD pipelines to detect and remediate vulnerable TensorFlow versions proactively. 7) Engage with ML platform vendors or cloud providers to confirm patch status and coordinate updates. These targeted actions will reduce the attack surface and minimize disruption risk.