CVE-2022-41893
First published: Fri Nov 18 2022(Updated: )
TensorFlow is an open source platform for machine learning. If `tf.raw_ops.TensorListResize` is given a nonscalar value for input `size`, it results `CHECK` fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Google TensorFlow | <2.8.4 | |
| Google TensorFlow | >=2.9.0<2.9.3 | |
| Google TensorFlow | >=2.10.0<2.10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this TensorFlow issue?
The vulnerability ID of this TensorFlow issue is CVE-2022-41893.
What is the severity of CVE-2022-41893?
The severity of CVE-2022-41893 is high with a CVSS score of 7.5.
What is the affected software for CVE-2022-41893?
The affected software for CVE-2022-41893 is Google TensorFlow versions up to 2.8.4, 2.9.0 up to 2.9.3, and 2.10.0 up to 2.10.1.
How can CVE-2022-41893 be exploited?
CVE-2022-41893 can be exploited by providing a nonscalar value for input `size` in `tf.raw_ops.TensorListResize` which triggers a CHECK fail and can result in a denial of service attack.
Has CVE-2022-41893 been patched?
Yes, CVE-2022-41893 has been patched. Please refer to the GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56 for the patch.
- collector/nvd-index
- vendor/google
- canonical/google tensorflow
- version/google tensorflow/2.9.0
- version/google tensorflow/2.10.0