CVE-2022-29209 — Type Confusion in Tensorflow

CWE-843 — Type Confusion5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 77.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 21

Latest updateMay 24

Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the macros that TensorFlow uses for writing assertions (e.g., `CHECK_LT`, `CHECK_GT`, etc.) have an incorrect logic when comparing `size_t` and `int` values. Due to type conversion rules, several of the macros would trigger incorrectly. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.7.0 — 2.7.2+4

▶CVEListV5tensorflow/tensorflow< 2.6.4+3

▶PyPIintel/optimization_for_tensorflow2.7.0 — 2.7.2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Type confusion leading to `CHECK`-failure based denial of service in TensorFlow↗2022-05-24

▶

GHSA

Type confusion leading to `CHECK`-failure based denial of service in TensorFlow↗2022-05-24

▶

CVEList

Type confusion leading to `CHECK`-failure based denial of service in TensorFlow↗2022-05-20

▶

📋Vendor Advisories

Debian

CVE-2022-29209: tensorflow - TensorFlow is an open source platform for machine learning. Prior to versions 2....↗2022

▶