CVE-2022-29203 — Integer Overflow or Wraparound in Tensorflow

CWE-190 — Integer Overflow or Wraparound5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 86.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 20

Latest updateMay 24

Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.SpaceToBatchND` (in all backends such as XLA and handwritten kernels) is vulnerable to an integer overflow: The result of this integer overflow is used to allocate the output tensor, hence we get a denial of service via a `CHECK`-failure (assertion failure), as in TFSA-2021-198. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.7.0 — 2.7.2+4

▶CVEListV5tensorflow/tensorflow< 2.6.4+3

▶PyPIintel/optimization_for_tensorflow2.7.0 — 2.7.2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Integer overflow in `SpaceToBatchND`↗2022-05-24

▶

OSV

Integer overflow in `SpaceToBatchND`↗2022-05-24

▶

CVEList

Integer overflow in `SpaceToBatchND` in TensorFlow↗2022-05-20

▶

📋Vendor Advisories

Debian

CVE-2022-29203: tensorflow - TensorFlow is an open source platform for machine learning. Prior to versions 2....↗2022

▶