AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2022-21739: Tensorflow is an Open Source Machine Learning Framework. The implementation of `QuantizedMaxPool` has an undefined behav

mediumvulnerability

security

Source: NVD/CVE DatabaseFebruary 3, 2022CVE-2022-21739

Summary

TensorFlow (an open source machine learning framework) has a bug in its `QuantizedMaxPool` function where user-controlled inputs can trigger a null pointer dereference (a crash caused by the program trying to access memory that doesn't exist). The vulnerability allows attackers to potentially cause the program to crash or behave unpredictably.

Solution / Mitigation

The fix will be included in TensorFlow 2.8.0. The patch will also be backported to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3. Users should update to one of these versions or later.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack SophisticationModerate

Impact (CIA+S)

availabilityintegrity

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-476 CWE-476

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2022-21739

First tracked: February 15, 2026 at 08:40 PM

Classified by LLM (prompt v3) · confidence: 95%