CVE-2023-25668 — Heap-based Buffer Overflow in Tensorflow

CWE-122 — Heap-based Buffer Overflow CWE-125 — Out-of-bounds Read6 documents6 sources

Severity

9.8CRITICALNVD

EPSS

1.5%

top 19.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

Latest updateMar 24

PublishedMar 25

Description

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDgoogle/tensorflow< 2.12.0

▶CVEListV5tensorflow/tensorflow< 2.11.1

▶PyPIintel/optimization_for_tensorflow< 2.11.1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

TensorFlow vulnerable to heap out-of-buffer read in the QuantizeAndDequantize operation↗2023-03-24

▶

GHSA

TensorFlow has a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation↗2023-03-24

▶

OSV

TensorFlow has a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation↗2023-03-24

▶

📋Vendor Advisories

Microsoft

TensorFlow vulnerable to heap out-of-buffer read in the QuantizeAndDequantize operation↗2023-03-14

▶

Debian

CVE-2023-25668: tensorflow - TensorFlow is an open source platform for machine learning. Attackers using Tens...↗2023

▶