What is CVE-2022-23575?

A medium-severity vulnerability in Google TensorFlow could allow attackers to exploit an integer overflow in tensor operations. Organizations should prioritize patching to mitigate risks associated with this vulnerability.

What is the severity of CVE-2022-23575?

CVE-2022-23575 has a severity rating of MEDIUM with a CVSS base score of 6.5.

CVE-2022-23575 | Medium Vulnerability in Google TensorFlow

The vulnerability identified as CVE-2022-23575 affects Google TensorFlow, an open-source machine learning framework. This vulnerability allows an integer overflow within the implementation of `OpLevelCostEstimator::CalculateTensorSize`, which can occur if an attacker creates an operation involving a tensor with a large enough number of elements. The potential impact is significant, as it may lead to a denial-of-service (DoS) attack due to resource exhaustion.

With a CVSS score of 6.5, this vulnerability is classified as medium severity, indicating that while exploitation is feasible, the attack complexity is low. Organizations should recognize the urgency of addressing this vulnerability, as the availability impact is rated as high. Defenders are urged to prioritize patching immediately to safeguard their systems.

As of now, there are no known public exploits or proofs of concept available for this vulnerability. However, the potential for exploitation in the wild remains a concern, particularly given the nature of the vulnerability. The fix for this issue is expected to be included in TensorFlow version 2.8.0, with backports planned for versions 2.7.1, 2.6.3, and 2.5.3, which are still in the supported range.

Organizations that utilize TensorFlow should assess their current deployments and ensure that they are using a version that has been patched against this vulnerability. Regular updates and timely application of patches are crucial components of a robust security posture.

Vulnerability Details

The vulnerability is formally described as an integer overflow in the `OpLevelCostEstimator::CalculateTensorSize` function of TensorFlow. The vulnerability's CVSS score is calculated as 6.5, categorizing it as medium severity due to its potential impact on availability, which is rated high. The affected product is TensorFlow, developed by Google, with the official publication of the advisory occurring on February 4, 2022.

Technical Analysis

The root cause of CVE-2022-23575 is an integer overflow that can occur during tensor size calculations. Attackers may leverage this vulnerability through network access, as the attack vector is classified as network-based. The attack complexity is low, requiring only low privileges and no user interaction. The impact on availability is significant, as exploiting this vulnerability could lead to a denial of service.

Risk & Impact Analysis

Risk to organizations includes potential denial-of-service conditions that could disrupt service availability. Given the nature of machine learning frameworks and their integration into critical systems, the blast radius could be substantial, affecting multiple applications and services relying on TensorFlow. Organizations should assess their exposure and prioritize remediation efforts based on the CVSS score and potential impact.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The following versions of TensorFlow are affected: 2.5.2 and below; 2.6.0 to 2.6.2; and 2.7.0. Organizations should upgrade to TensorFlow 2.8.0 or apply the backported patches for the other affected versions.

Mitigation & Remediation

Organizations should upgrade TensorFlow to version 2.8.0, where the fix will be included. If upgrading is not feasible, it is recommended to apply the backported patches available for TensorFlow versions 2.7.1, 2.6.3, and 2.5.3. Additionally, implementing configuration hardening and monitoring for abnormal behavior can help mitigate risks associated with this vulnerability.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for indicators of abnormal tensor operations, track performance anomalies, and analyze system behavior for unexpected crashes or resource consumption spikes.

AppSecure Threat Intelligence Insight

CVE-2022-23575 highlights the importance of maintaining up-to-date software components and the potential risks associated with open-source frameworks. Organizations are advised to regularly review their dependencies and implement a comprehensive vulnerability management program that includes routine security assessments and timely patching processes.

For additional resources, organizations can explore our penetration testing services which help identify vulnerabilities in their systems.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-23575: Medium Vulnerability in Google TensorFlow