CVE-2022-23585Missing Release of Memory after Effective Lifetime in Tensorflow

CWE-401Missing Release of Memory after Effective Lifetime6 documents5 sources
Severity
6.5MEDIUMNVD
CNA4.3
EPSS
0.7%
top 28.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowIntel Optimization FOR TensorflowGoogle Tensorflow
Timeline
PublishedFeb 4
Latest updateFeb 9

Description

Tensorflow is an Open Source Machine Learning Framework. When decoding PNG images TensorFlow can produce a memory leak if the image is invalid. After calling `png::CommonInitDecode(..., &decode)`, the `decode` value contains allocated buffers which can only be freed by calling `png::CommonFreeDecode(&decode)`. However, several error case in the function implementation invoke the `OP_REQUIRES` macro which immediately terminates the execution of the function, without allowing for the memory free t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5tensorflow/tensorflow< 2.5.3+2
PyPIintel/optimization_for_tensorflow2.6.02.6.3+2
NVDgoogle/tensorflow2.6.02.6.2+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Memory leak in decoding PNG images2022-02-09
GHSA
Memory leak in decoding PNG images2022-02-09
CVEList
Memory leak in decoding PNG images in Tensorflow2022-02-04
OSV
CVE-2022-23585: Tensorflow is an Open Source Machine Learning Framework2022-02-04

📋Vendor Advisories

1
Debian
CVE-2022-23585: tensorflow - Tensorflow is an Open Source Machine Learning Framework. When decoding PNG image...2022
CVE-2022-23585 — Tensorflow vulnerability | cvebase