AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2022-41888: TensorFlow is an open source platform for machine learning. When running on GPU, `tf.image.generate_bounding_box_proposa

mediumvulnerability

security

Source: NVD/CVE DatabaseNovember 18, 2022CVE-2022-41888

Summary

TensorFlow, an open source machine learning platform, has a vulnerability in its `tf.image.generate_bounding_box_proposals` function when running on GPU. The function fails to validate that the `scores` input has the correct rank (dimension structure), which could cause problems. This is classified as improper input validation (CWE-20, where a program doesn't properly check if data meets required specifications).

Solution / Mitigation

The fix is included in TensorFlow 2.11 and has been backported to versions 2.10.1, 2.9.3, and 2.8.4. Users should update to one of these patched versions. The patch details are available in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98.

Vulnerability Details

CVSS Score

4.8(medium)

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack SophisticationModerate

Impact (CIA+S)

integrityavailability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-20

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2022-41888

First tracked: February 15, 2026 at 08:41 PM

Classified by LLM (prompt v3) · confidence: 92%