CVE-2022-23578 — Missing Release of Memory after Effective Lifetime in Tensorflow

CWE-401 — Missing Release of Memory after Effective Lifetime6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 57.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Intel Optimization FOR Tensorflow Google Tensorflow

Timeline

PublishedFeb 4

Latest updateFeb 10

Description

Tensorflow is an Open Source Machine Learning Framework. If a graph node is invalid, TensorFlow can leak memory in the implementation of `ImmutableExecutorState::Initialize`. Here, we set `item->kernel` to `nullptr` but it is a simple `OpKernel*` pointer so the memory that was previously allocated to it would leak. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5tensorflow/tensorflow< 2.5.3+2

▶PyPIintel/optimization_for_tensorflow2.6.0 — 2.6.3+2

▶NVDgoogle/tensorflow2.6.0 — 2.6.2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Memory leak in Tensorflow↗2022-02-10

▶

GHSA

Memory leak in Tensorflow↗2022-02-10

▶

OSV

CVE-2022-23578: Tensorflow is an Open Source Machine Learning Framework↗2022-02-04

▶

CVEList

Memory leak in Tensorflow↗2022-02-04

▶

📋Vendor Advisories

Debian

CVE-2022-23578: tensorflow - Tensorflow is an Open Source Machine Learning Framework. If a graph node is inva...↗2022

▶