AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2022-41880: TensorFlow is an open source platform for machine learning. When the `BaseCandidateSamplerOp` function receives a value

mediumvulnerability

security

Source: NVD/CVE DatabaseNovember 18, 2022CVE-2022-41880

Summary

TensorFlow, an open source machine learning platform, has a vulnerability in the `BaseCandidateSamplerOp` function that causes a heap OOB read (out-of-bounds read, where a program accesses memory it shouldn't) when it receives certain invalid input values. This is a memory safety bug that could allow attackers to read sensitive data from the program's memory.

Solution / Mitigation

The issue has been patched in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. Users should update to TensorFlow 2.11, or if using earlier versions, update to TensorFlow 2.10.1, 2.9.3, or 2.8.4, which will also receive the fix through a cherry-pick (backporting the patch to older supported versions).

Vulnerability Details

CVSS Score

6.8(medium)

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack SophisticationModerate

Impact (CIA+S)

confidentiality

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-125

CAPEC (Attack Pattern)

CAPEC-540

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2022-41880

First tracked: February 15, 2026 at 08:41 PM

Classified by LLM (prompt v3) · confidence: 95%