AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2022-41902: TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that d

highvulnerability

security

Source: NVD/CVE DatabaseDecember 6, 2022CVE-2022-41902

Summary

TensorFlow, an open source machine learning platform, has a bug in its MakeGrapplerFunctionItem function where providing input sizes that are greater than or equal to output sizes causes an out-of-bounds memory read (accessing memory locations outside the intended range) or a crash. This vulnerability affects how TensorFlow processes data when sizes are mismatched.

Solution / Mitigation

The issue has been patched in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix is included in TensorFlow 2.11.0, and will also be included in TensorFlow 2.8.4, 2.9.3, and 2.10.1.

Vulnerability Details

CVSS Score

7.1(high)

EPSS (30-day exploit probability)

EPSS: 0.3%

Classification

Attack SophisticationModerate

Impact (CIA+S)

availabilityintegrity

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-787 CWE-125

CAPEC (Attack Pattern)

CAPEC-100 CAPEC-540

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2022-41902

First tracked: February 15, 2026 at 08:41 PM

Classified by LLM (prompt v3) · confidence: 95%