CVE-2022-23592 — Out-of-bounds Read in Google Tensorflow

CWE-125 — Out-of-bounds Read6 documents5 sources

Severity

8.1HIGHNVD

EPSS

0.3%

top 45.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Tensorflow Intel Optimization FOR Tensorflow Tensorflow

Timeline

PublishedFeb 4

Latest updateFeb 9

Description

Tensorflow is an Open Source Machine Learning Framework. TensorFlow's type inference can cause a heap out of bounds read as the bounds checking is done in a `DCHECK` (which is a no-op during production). An attacker can control the `input_idx` variable such that `ix` would be larger than the number of values in `node_t.args`. The fix will be included in TensorFlow 2.8.0. This is the only affected version.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶NVDgoogle/tensorflow2.7.0 — 2.8.0

▶PyPIintel/optimization_for_tensorflow2.8.0-rc0 — 2.8.0

▶CVEListV5tensorflow/tensorflow= 2.8.0-rc0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Out of bounds read in Tensorflow↗2022-02-09

▶

OSV

Out of bounds read in Tensorflow↗2022-02-09

▶

OSV

CVE-2022-23592: Tensorflow is an Open Source Machine Learning Framework↗2022-02-04

▶

CVEList

Out of bounds read in Tensorflow↗2022-02-04

▶

📋Vendor Advisories

Debian

CVE-2022-23592: tensorflow - Tensorflow is an Open Source Machine Learning Framework. TensorFlow's type infer...↗2022

▶