AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2022-41897: TensorFlow is an open source platform for machine learning. If `FractionMaxPoolGrad` is given outsize inputs `row_poolin

mediumvulnerability

security

Source: NVD/CVE DatabaseNovember 18, 2022CVE-2022-41897

Summary

TensorFlow (an open-source machine learning platform) crashes when a function called `FractionMaxPoolGrad` receives oversized inputs for `row_pooling_sequence` and `col_pooling_sequence` parameters. This is caused by an out-of-bounds read (accessing memory locations outside the intended range), which allows the program to fail unexpectedly.

Solution / Mitigation

The patch is available in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. Users should upgrade to TensorFlow 2.11, or apply the patch to supported earlier versions: 2.10.1, 2.9.3, and 2.8.4.

Vulnerability Details

CVSS Score

4.8(medium)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationTrivial

Impact (CIA+S)

availability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-125

CAPEC (Attack Pattern)

CAPEC-540

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2022-41897

First tracked: February 15, 2026 at 08:41 PM

Classified by LLM (prompt v3) · confidence: 95%