Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Top Critical CVEs

Highest risk vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Discover domains across TLDs

Sign In Sign Up

GHSA-xvwp-h6jv-7472

GitHub Security Advisory

FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess

✓ GitHub Reviewed HIGH Has CVE

Advisory Details

### Impact
An input `pooling_ratio` that is smaller than 1 will trigger a heap OOB in [`tf.raw_ops.FractionalMaxPool`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/fractional_max_pool_op.cc) and [`tf.raw_ops.FractionalAvgPool`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/fractional_avg_pool_op.cc).

### Patches
We have patched the issue in GitHub commit [216525144ee7c910296f5b05d214ca1327c9ce48](https://github.com/tensorflow/tensorflow/commit/216525144ee7c910296f5b05d214ca1327c9ce48).

The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

### For more information
Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.

Affected Packages

PyPI tensorflow

Affected versions: 0 (fixed in 2.8.4)

PyPI tensorflow

Affected versions: 2.9.0 (fixed in 2.9.3)

PyPI tensorflow

Affected versions: 2.10.0 (fixed in 2.10.1)

PyPI tensorflow-cpu

Affected versions: 0 (fixed in 2.8.4)

PyPI tensorflow-gpu

Affected versions: 0 (fixed in 2.8.4)

PyPI tensorflow-cpu

Affected versions: 2.9.0 (fixed in 2.9.3)

PyPI tensorflow-gpu

Affected versions: 2.9.0 (fixed in 2.9.3)

PyPI tensorflow-cpu

Affected versions: 2.10.0 (fixed in 2.10.1)

PyPI tensorflow-gpu

Affected versions: 2.10.0 (fixed in 2.10.1)

Related CVEs

CVE-2022-41900

Key Information

GHSA ID

GHSA-xvwp-h6jv-7472

Published

November 21, 2022 10:03 PM

Last Modified

November 21, 2022 10:03 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

tensorflow

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 23, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.