AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2022-41887: TensorFlow is an open source platform for machine learning. `tf.keras.losses.poisson` receives a `y_pred` and `y_true` t

mediumvulnerability

security

Source: NVD/CVE DatabaseNovember 18, 2022CVE-2022-41887

Summary

TensorFlow's poisson loss function (a tool for measuring prediction errors in machine learning) crashes when certain input dimensions multiply together and exceed the limit of a 32-bit integer, causing a size mismatch during broadcast assignment (aligning data for computation). The vulnerability affects multiple versions of TensorFlow.

Solution / Mitigation

The issue has been patched in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11, and will also be patched in TensorFlow 2.10.1 and 2.9.3. TensorFlow 2.8.x will not receive this patch due to dependency changes in the underlying Eigen library between versions.

Vulnerability Details

CVSS Score

4.8(medium)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack Type

DoS

Attack SophisticationModerate

Impact (CIA+S)

availability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-131

Affected Vendors

Related Issues

medium

CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

Similar attackNVD/CVE Database

low

CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p

First tracked: February 15, 2026 at 08:41 PM

Classified by LLM (prompt v3) · confidence: 95%