First published: Fri Nov 18 2022(Updated: )
TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a `nullptr`, which is not caught. An example can be seen in `tf.compat.v1.extract_volume_patches` by passing in quantized tensors as input `ksizes`. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Google TensorFlow | <2.8.4 | |
Google TensorFlow | >=2.9.0<2.9.3 | |
Google TensorFlow | >=2.10.0<2.10.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-41889 is a vulnerability in TensorFlow, an open source platform for machine learning, where a list of quantized tensors assigned to an attribute can cause the pywrap code to fail, leading to a null pointer exception.
CVE-2022-41889 affects Google TensorFlow versions up to and including 2.8.4, versions 2.9.0 to 2.9.3, and versions 2.10.0 to 2.10.1.
CVE-2022-41889 has a severity rating of 7.5 (High).
To fix CVE-2022-41889, it is recommended to update to a version of Google TensorFlow that is not affected by the vulnerability.
More information about CVE-2022-41889 can be found in the TensorFlow GitHub repository and the TensorFlow security advisories.