Home » Database

AVID-2026-R1136

Description

Overflow in FusedResizeAndPadConv2D in Tensorflow (CVE-2022-41885)

Details

TensorFlow is an open source platform for machine learning. When tf.raw_ops.FusedResizeAndPadConv2D is given a large tensor shape, it overflows. We have patched the issue in GitHub commit d66e1d568275e6a2947de97dca7a102a211e01ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-41885 describes a buffer overflow in TensorFlow’s FusedResizeAndPadConv2D, an ML framework component. This is a vulnerability in software used to build/deploy AI systems, affecting the AI software stack (TensorFlow). The report includes remediation (patch commit), affected versions, and references, establishing clear security impact. Therefore it satisfies AI-related, GP AI supply chain, security/safety vulnerability, and sufficiency criteria.

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
Base Score4.8
Base Severity🟠 Medium
Attack VectorNETWORK
Attack Complexity🔴 High
Privileges Required🟢 Low
User InteractionREQUIRED
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🔴 High

CWE

IDDescription
CWE-131CWE-131: Incorrect Calculation of Buffer Size

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2022-11-18
  • Version: 0.3.3
  • AVID Entry