CVE-2022-21727 — Integer Overflow or Wraparound in Intel Optimization FOR Tensorflow

CWE-190 — Integer Overflow or Wraparound6 documents5 sources

Severity

8.8HIGHNVD

CNA7.6

EPSS

0.3%

top 45.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Intel Optimization FOR Tensorflow Google Tensorflow

Timeline

PublishedFeb 3

Latest updateFeb 9

Description

Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulnerable to an integer overflow weakness. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked, and, since the code computes `axis + 1`, an attacker can trigger an integer overflow. The fix will be included in TensorFlow 2.8.0. We will a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶PyPIintel/optimization_for_tensorflow2.6.0 — 2.6.3+2

▶NVDgoogle/tensorflow2.6.0 — 2.6.2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Integer overflow in Tensorflow↗2022-02-09

▶

OSV

Integer overflow in Tensorflow↗2022-02-09

▶

OSV

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework↗2022-02-03

▶

CVEList

Integer overflow in Tensorflow↗2022-02-03

▶

📋Vendor Advisories

Debian

CVE-2022-21727: tensorflow - Tensorflow is an Open Source Machine Learning Framework. The implementation of s...↗2022

▶