AVID-2026-R1150

Description

FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess in Tensorflow (CVE-2022-41900)

Details

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

Reason for inclusion in AVID: CVE-2022-41900 is a vulnerability in TensorFlow, a core ML framework widely used in AI systems. It concerns AI software stack components (FractionalMaxPool/Pool) and can lead to crashes or remote code execution. This directly affects the software supply chain for general-purpose AI (frameworks, runtimes, and ML pipelines). The report provides explicit vulnerability behavior, affected components, and references including patches, satisfying evidence requirements.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xvwp-h6jv-7472
• https://github.com/tensorflow/tensorflow/commit/216525144ee7c910296f5b05d214ca1327c9ce48

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-11-18
• Version: 0.3.3
• AVID Entry