CVE-2022-35999 is a medium-severity vulnerability in TensorFlow, an open-source machine learning platform widely used for developing and deploying machine learning models. The vulnerability arises from a reachable assertion failure (CWE-617) in the Conv2DBackpropInput operation, which is part of TensorFlow's backpropagation implementation for convolutional neural networks. Specifically, when the Conv2DBackpropInput kernel receives an empty 'out_backprop' tensor input with certain dimensions (e.g., [3, 1, 0, 1]), the internal CHECK assertions in the CPU and GPU kernels (using dnnl and cudnn libraries respectively) fail, causing the process to crash. This results in a denial of service (DoS) condition, as the TensorFlow process handling the operation terminates unexpectedly. The issue affects multiple TensorFlow versions: all versions prior to 2.7.2, versions from 2.8.0 up to but not including 2.8.1, and versions from 2.9.0 up to but not including 2.9.1. The vulnerability has been patched in TensorFlow 2.10.0 and backported to 2.9.1, 2.8.1, and 2.7.2. No known workarounds exist, and no exploits have been observed in the wild. The vulnerability requires an attacker to supply crafted inputs to the Conv2DBackpropInput operation, which may require some level of access to the machine learning pipeline or API endpoints that accept tensor inputs. The impact is limited to denial of service, with no indication of code execution or data leakage. The vulnerability does not require user interaction beyond the crafted input and affects both CPU and GPU execution paths.

For European organizations leveraging TensorFlow in their machine learning workflows, this vulnerability primarily poses a risk of denial of service. Organizations using TensorFlow for critical AI/ML services—such as financial institutions employing AI for fraud detection, healthcare providers using ML for diagnostics, or manufacturing firms relying on AI for predictive maintenance—may experience service interruptions if an attacker supplies malformed inputs triggering the assertion failure. This could degrade availability of AI-powered applications, potentially impacting business operations and service delivery. Since the vulnerability causes process crashes, it may also increase operational overhead due to the need for restarts and troubleshooting. However, the vulnerability does not appear to allow unauthorized data access or code execution, limiting confidentiality and integrity impacts. The absence of known exploits reduces immediate risk, but the widespread use of TensorFlow in European research institutions, enterprises, and cloud providers means that unpatched systems remain vulnerable to potential DoS attacks. Attackers with access to ML model input channels or APIs could exploit this to disrupt services. The impact is more pronounced in environments where TensorFlow models are exposed to external or semi-trusted users, such as ML-as-a-service platforms or collaborative research projects.

European organizations should prioritize upgrading TensorFlow installations to version 2.10.0 or later, or apply the backported patches available for versions 2.7.2, 2.8.1, and 2.9.1. Since no workarounds exist, patching is the primary mitigation. Organizations should audit their ML pipelines to identify any exposed endpoints or APIs that accept tensor inputs, particularly those that might allow user-supplied data to reach Conv2DBackpropInput operations. Implementing strict input validation and sanitization at the application layer can help prevent malformed tensors from triggering the vulnerability. Monitoring and alerting on unexpected TensorFlow process crashes or restarts can provide early detection of exploitation attempts. For cloud-based ML services, applying network segmentation and access controls to limit who can submit model inputs reduces attack surface. Additionally, organizations should review their incident response plans to handle potential DoS incidents affecting ML services. Collaboration with cloud providers to ensure underlying TensorFlow versions are patched is also recommended. Finally, maintaining an inventory of TensorFlow versions in use across the organization will facilitate timely patch management.