CVE-2022-36012Reachable Assertion in Tensorflow

CWE-617Reachable Assertion5 documents5 sources
Severity
7.5HIGHNVD
CNA5.9
EPSS
0.2%
top 58.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowGoogle TensorflowIntel Optimization FOR Tensorflow
Timeline
PublishedSep 16

Description

TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it crashes. We have patched the issue in GitHub commit ad069af92392efee1418c48ff561fd3070a03d7b. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDgoogle/tensorflow2.8.02.8.1+3
CVEListV5tensorflow/tensorflow< 2.7.2+2
PyPIintel/optimization_for_tensorflow2.8.02.8.1+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
TensorFlow vulnerable to assertion fail on MLIR empty edge names2022-09-16
CVEList
Assertion fail on MLIR empty edge names in TensorFlow2022-09-16
GHSA
TensorFlow vulnerable to assertion fail on MLIR empty edge names2022-09-16

📋Vendor Advisories

1
Debian
CVE-2022-36012: tensorflow - TensorFlow is an open source platform for machine learning. When `mlir::tfg::Con...2022
CVE-2022-36012 — Reachable Assertion in Tensorflow | cvebase