CVE-2022-41897: 
Python vulnerability analysis and mitigation

TensorFlow, an open source platform for machine learning, was found to contain a vulnerability (CVE-2022-41897) where if FractionMaxPoolGrad is given outsize inputs rowpoolingsequence and colpoolingsequence, the system would crash. The vulnerability was discovered by Yu Tian from Qihoo 360 AIVul Team and was disclosed on November 18, 2022. This issue affected TensorFlow versions prior to 2.11.0 (GitHub Advisory).

The vulnerability exists in the FractionalMaxPoolGrad operation where oversized inputs for rowpoolingsequence and colpoolingsequence parameters could trigger a heap out-of-bounds error. The issue can be reproduced by passing specific parameters to tf.raw_ops.FractionMaxPoolGrad, including outsize values like -0x4000000 for the pooling sequences (GitHub Advisory).

When exploited, this vulnerability results in a system crash, effectively creating a denial of service condition. The severity of this vulnerability is classified as LOW, primarily because it only affects the system's availability without compromising data integrity or confidentiality (GitHub Advisory).

The issue has been patched in multiple versions of TensorFlow. Users should upgrade to one of the following patched versions: TensorFlow 2.8.4, 2.9.3, 2.10.1, or 2.11.0. The fix was implemented in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927 (GitHub Advisory).