CVE-2023-25676

CWE-476 — NULL Pointer Dereference6 documents6 sources

Severity

7.5HIGH

EPSS

0.2%

top 52.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Tensorflow Google Tensorflow

Timeline

Latest updateMar 24

PublishedMar 25

Description

TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.ParallelConcat` segfaults with a nullptr dereference when given a parameter `shape` with rank that is not greater than zero. A fix is available in TensorFlow 2.12.0 and 2.11.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶PyPItensorflow< 2.11.1

▶PyPItensorflow-cpu< 2.11.1

▶PyPItensorflow-gpu< 2.11.1

▶NVDgoogle/tensorflow< 2.12.0

▶CVEListV5tensorflow/tensorflow< 2.11.1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

TensorFlow has null dereference on ParallelConcat with XLA↗2023-03-24

▶

GHSA

TensorFlow has null dereference on ParallelConcat with XLA↗2023-03-24

▶

OSV

TensorFlow has null dereference on ParallelConcat with XLA↗2023-03-24

▶

📋Vendor Advisories

Microsoft

TensorFlow has null dereference on ParallelConcat with XLA↗2023-03-14

▶

Debian

CVE-2023-25676: tensorflow - TensorFlow is an open source machine learning platform. When running versions pr...↗2023

▶