What is CVE-2022-29205?

A medium-severity vulnerability has been identified in Google TensorFlow, specifically affecting versions prior to 2.9.0. Organizations should prioritize patching to prevent potential denial of service due to segfaults.

What is the severity of CVE-2022-29205?

CVE-2022-29205 has a severity rating of MEDIUM with a CVSS base score of 5.5.

CVE-2022-29205 | Medium Vulnerability in Google TensorFlow

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, there is a potential for segfault / denial of service in TensorFlow by calling `tf.compat.v1.*` ops which don't yet have support for quantized types, which was added after migration to TensorFlow 2.x. In these scenarios, since the kernel is missing, a `nullptr` value is passed to `ParseDimensionValue` for the `py_value` argument. Then, this is dereferenced, resulting in segfault. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

The CVSS score for this vulnerability is 5.5, categorized as medium severity. The impact includes a high availability risk, meaning that attackers may leverage this vulnerability to cause denial of service conditions within affected systems.

Organizations should prioritize patching immediately. The identified versions with vulnerabilities include TensorFlow releases prior to 2.9.0, specifically 2.8.1, 2.7.2, and 2.6.4, which have been patched.

As this vulnerability has been published and acknowledged, defenders must act quickly to ensure their deployments are updated to mitigate any potential risks associated with this issue.

Vulnerability Details

The vulnerability allows for a potential segfault/denial of service. The CVSS 3.1 vector string indicates a local attack vector with low complexity, requiring low privileges and no user interaction. The affected product is TensorFlow, a widely used machine learning library developed by Google.

Technical Analysis

The root cause of this vulnerability stems from TensorFlow's handling of quantized types in its API, specifically in the context of `tf.compat.v1.*` operations. When these operations are invoked without the necessary support for the quantized types, a nullptr is dereferenced, which leads to a segmentation fault.

The attack vector for this vulnerability is local, meaning that an attacker needs to have local access to exploit it. The complexity of executing this attack is low, as it does not require any sophisticated techniques. The attacker must have low privileges, and there is no requirement for user interaction.

The impacts include a high availability risk, as the application can crash due to this flaw. However, there are no impacts on confidentiality or integrity.

Risk & Impact Analysis

Risk to organizations includes potential service interruption leading to denial of service. The availability impact is marked as high, indicating that this vulnerability could lead to severe operational disruptions if not addressed. Given the widespread use of TensorFlow in machine learning applications, the blast radius could extend across multiple systems relying on this library.

Organizations should address this vulnerability in their priority patch cycle to mitigate risks of exploitation and ensure operational continuity.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions include TensorFlow versions prior to 2.9.0, specifically: 2.8.1, 2.7.2, and 2.6.4. If version information is missing, it is stated that all versions prior to vendor patch are vulnerable.

Mitigation & Remediation

Organizations should ensure they update to TensorFlow versions 2.9.0 or later to mitigate this vulnerability. If immediate patching isn't feasible, consider implementing configuration hardening to limit exposure. Additional network controls may also help, including monitoring for any unusual activity that may indicate exploitation attempts.

Detection Guidance

Monitoring logs for segfault errors can help detect attempts to exploit this vulnerability. Behavioral anomalies in TensorFlow operations should also be noted, as they may indicate an ongoing attack.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability highlights the importance of maintaining updated libraries, especially for widely used frameworks like TensorFlow. Security teams should remain vigilant in monitoring for vulnerabilities that could lead to denial of service. Effective vulnerability management programs are crucial for identifying and mitigating risks promptly.

For further reading on vulnerability management, organizations can explore the following resources: vulnerability management program and the best practices in penetration testing methodology.

Additionally, organizations can improve their security posture by focusing on security testing best practices to identify potential weaknesses proactively.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-29205: Medium Vulnerability in Google TensorFlow