First published: Fri May 20 2022(Updated: )
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.SparseTensorDenseAdd` does not fully validate the input arguments. In this case, a reference gets bound to a `nullptr` during kernel execution. This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Google TensorFlow | <2.6.4 | |
Google TensorFlow | >=2.7.0<2.7.2 | |
Google TensorFlow | =2.7.0-rc0 | |
Google TensorFlow | =2.7.0-rc1 | |
Google TensorFlow | =2.8.0 | |
Google TensorFlow | =2.8.0-rc0 | |
Google TensorFlow | =2.8.0-rc1 | |
Google TensorFlow | =2.9.0-rc0 | |
Google TensorFlow | =2.9.0-rc1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-29206 is considered medium, primarily due to potential memory references being bound to null pointers.
To fix CVE-2022-29206, upgrade TensorFlow to versions 2.9.0, 2.8.1, 2.7.2, or 2.6.4 or later.
CVE-2022-29206 affects TensorFlow versions prior to 2.9.0, 2.8.1, 2.7.2, and 2.6.4.
The impact of CVE-2022-29206 could lead to potential crashes or unexpected behavior in applications that misuse the SparseTensorDenseAdd operation.
CVE-2022-29206 is not classified as a remote execution vulnerability; it primarily affects local execution of TensorFlow operations.