CVE-2022-41900 — Out-of-bounds Read in Tensorflow

CWE-125 — Out-of-bounds Read CWE-787 — Out-of-bounds Write6 documents6 sources

Severity

9.8CRITICALNVD

CNA7.1

EPSS

1.2%

top 20.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedNov 18

Latest updateNov 21

Description

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDgoogle/tensorflow2.9.0 — 2.9.3+2

▶CVEListV5tensorflow/tensorflow< 2.8.4+2

▶PyPIintel/optimization_for_tensorflow2.9.0 — 2.9.3+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess↗2022-11-21

▶

GHSA

FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess↗2022-11-21

▶

CVEList

FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess in Tensorflow↗2022-11-18

▶

📋Vendor Advisories

Microsoft

FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess in Tensorflow↗2022-11-08

▶

Debian

CVE-2022-41900: tensorflow - TensorFlow is an open source platform for machine learning. The security vulnera...↗2022

▶