CVE-2022-36011NULL Pointer Dereference in Tensorflow

CWE-476NULL Pointer Dereference5 documents5 sources
Severity
7.5HIGHNVD
CNA5.9
EPSS
0.1%
top 77.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowGoogle TensorflowIntel Optimization FOR Tensorflow
Timeline
PublishedSep 16

Description

TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it gives a null dereference. We have patched the issue in GitHub commit 1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDgoogle/tensorflow2.8.02.8.1+3
CVEListV5tensorflow/tensorflow< 2.7.2+2
PyPIintel/optimization_for_tensorflow2.8.02.8.1+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Null dereference on MLIR on empty function attributes in TensorFlow2022-09-16
OSV
TensorFlow vulnerable to null dereference on MLIR on empty function attributes2022-09-16
GHSA
TensorFlow vulnerable to null dereference on MLIR on empty function attributes2022-09-16

📋Vendor Advisories

1
Debian
CVE-2022-36011: tensorflow - TensorFlow is an open source platform for machine learning. When `mlir::tfg::Con...2022
CVE-2022-36011 — NULL Pointer Dereference in Tensorflow | cvebase