CVE-2022-36000 — NULL Pointer Dereference in Tensorflow

CWE-476 — NULL Pointer Dereference5 documents5 sources

Severity

7.5HIGHNVD

CNA5.9

EPSS

0.1%

top 77.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedSep 16

Description

TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it gives a null dereference. We have patched the issue in GitHub commit aed36912609fc07229b4d0a7b44f3f48efc00fd0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.8.0 — 2.8.1+3

▶CVEListV5tensorflow/tensorflow< 2.7.2+2

▶PyPIintel/optimization_for_tensorflow2.8.0 — 2.8.1+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

TensorFlow vulnerable to null dereference on MLIR on empty function attributes↗2022-09-16

▶

CVEList

Null dereference on MLIR on empty function attributes in TensorFlow↗2022-09-16

▶

GHSA

TensorFlow vulnerable to null dereference on MLIR on empty function attributes↗2022-09-16

▶

📋Vendor Advisories

Debian

CVE-2022-36000: tensorflow - TensorFlow is an open source platform for machine learning. When `mlir::tfg::Con...↗2022

▶