First published: Fri Sep 16 2022(Updated: )
TensorFlow is an open source platform for machine learning. When `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, it crashes. We have patched the issue in GitHub commit ad069af92392efee1418c48ff561fd3070a03d7b. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Google TensorFlow | <2.7.2 | |
Google TensorFlow | >=2.8.0<2.8.1 | |
Google TensorFlow | >=2.9.0<2.9.1 | |
Google TensorFlow | =2.10-rc0 | |
Google TensorFlow | =2.10-rc1 | |
Google TensorFlow | =2.10-rc2 | |
Google TensorFlow | =2.10-rc3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-36012 is a vulnerability in TensorFlow, an open source platform for machine learning, that can cause a crash when empty function attributes are used in mlir::tfg::ConvertGenericFunctionToFunctionDef.
The severity of CVE-2022-36012 is high, with a severity value of 7.5.
Versions 2.7.2 to 2.9.1 of Google TensorFlow, as well as versions 2.10-rc0, 2.10-rc1, 2.10-rc2, and 2.10-rc3 are affected by CVE-2022-36012.
Yes, a fix for CVE-2022-36012 has been released in GitHub commit ad069af92392efee1418c48ff561fd3070a03d7b. The fix will be included in TensorFlow 2.10.0.
You can find more information about CVE-2022-36012 on the TensorFlow GitHub page and the associated security advisories: GHSA-jvhc-5hhr-w3v5.