CVE-2022-41887: 
Python vulnerability analysis and mitigation

TensorFlow's tf.keras.losses.poisson function contains a vulnerability where it receives y_pred and y_true parameters that are passed through functor::mul in BinaryOp. When the resulting dimensions overflow an int32, TensorFlow crashes due to a size mismatch during broadcast assignment. This vulnerability was assigned CVE-2022-41887 and was discovered in versions prior to 2.11.0 (GitHub Advisory).

The vulnerability occurs in the dimension handling within the binary operations implementation. The issue stems from a dimension type mismatch where the code was using int instead of Eigen::DenseIndex for dimension calculations. This becomes problematic when dealing with large tensor dimensions that can overflow a 32-bit integer during broadcast operations (TensorFlow Commit).

When exploited, this vulnerability causes TensorFlow to crash when processing tensors with dimensions large enough to trigger the integer overflow condition. This can lead to denial of service in applications using the affected TensorFlow versions. The practical impact is somewhat limited as successful exploitation requires operations with more than 2^32 elements, which would cause out-of-memory conditions on most machines (GitHub Advisory).

The issue has been fixed in TensorFlow versions 2.9.3, 2.10.1, and 2.11.0. Users should upgrade to these patched versions. Note that the fix was not backported to TensorFlow 2.8.x due to incompatible changes in Eigen behavior between versions 2.8 and 2.9 (GitHub Advisory).