AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2022-35937: TensorFlow is an open source platform for machine learning. The `GatherNd` function takes arguments that determine the s

highvulnerability

security

Source: NVD/CVE DatabaseSeptember 16, 2022CVE-2022-35937

Summary

TensorFlow's `GatherNd` function (a tool that retrieves values from arrays based on index locations) has a vulnerability where it can read memory it shouldn't access if certain input sizes are too large. This happens because the function doesn't properly check if inputs exceed the expected output sizes, potentially exposing sensitive data or crashing the system.

Solution / Mitigation

The fix will be included in TensorFlow 2.10.0. Patched versions will also be available in TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2. The source notes there are no known workarounds for this issue.

Vulnerability Details

CVSS Score

7(high)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationModerate

Impact (CIA+S)

confidentialityavailability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-125

CAPEC (Attack Pattern)

CAPEC-540

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2022-35937

First tracked: February 15, 2026 at 08:41 PM

Classified by LLM (prompt v3) · confidence: 95%