CVE-2022-29210Classic Buffer Overflow in Intel Optimization FOR Tensorflow

CWE-120Classic Buffer OverflowCWE-122Heap-based Buffer OverflowCWE-787Out-of-bounds Write5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 88.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Intel Optimization FOR TensorflowTensorflowGoogle Tensorflow
Timeline
PublishedMay 21
Latest updateMay 24

Description

TensorFlow is an open source platform for machine learning. In version 2.8.0, the `TensorKey` hash function used total estimated `AllocatedBytes()`, which (a) is an estimate per tensor, and (b) is a very poor hash function for constants (e.g. `int32_t`). It also tried to access individual tensor bytes through `tensor.data()` of size `AllocatedBytes()`. This led to ASAN failures because the `AllocatedBytes()` is an estimate of total bytes allocated by a tensor, including any pointed-to constructs

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

PyPIintel/optimization_for_tensorflow2.8.02.8.1
CVEListV5tensorflow/tensorflow== 2.8.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Heap buffer overflow due to incorrect hash function in TensorFlow2022-05-24
GHSA
Heap buffer overflow due to incorrect hash function in TensorFlow2022-05-24
CVEList
Heap buffer overflow due to incorrect hash function in TensorFlow2022-05-20

📋Vendor Advisories

1
Debian
CVE-2022-29210: tensorflow - TensorFlow is an open source platform for machine learning. In version 2.8.0, th...2022
CVE-2022-29210 — Classic Buffer Overflow in Intel | cvebase