CVE-2022-29206 — Improper Input Validation in Tensorflow

CWE-20 — Improper Input Validation CWE-476 — NULL Pointer Dereference5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 80.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 20

Latest updateMay 24

Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.SparseTensorDenseAdd` does not fully validate the input arguments. In this case, a reference gets bound to a `nullptr` during kernel execution. This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.7.0 — 2.7.2+4

▶CVEListV5tensorflow/tensorflow< 2.6.4+3

▶PyPIintel/optimization_for_tensorflow2.7.0 — 2.7.2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Missing validation results in undefined behavior in `SparseTensorDenseAdd↗2022-05-24

▶

GHSA

Missing validation results in undefined behavior in `SparseTensorDenseAdd↗2022-05-24

▶

CVEList

Missing validation results in undefined behavior in `SparseTensorDenseAdd` in TensorFlow↗2022-05-20

▶

📋Vendor Advisories

Debian

CVE-2022-29206: tensorflow - TensorFlow is an open source platform for machine learning. Prior to versions 2....↗2022

▶