First published: Fri Nov 18 2022(Updated: )
TensorFlow is an open source platform for machine learning. An input `sparse_matrix` that is not a matrix with a shape with rank 0 will trigger a `CHECK` fail in `tf.raw_ops.SparseMatrixNNZ`. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Google TensorFlow | <2.8.4 | |
Google TensorFlow | >=2.9.0<2.9.3 | |
Google TensorFlow | >=2.10.0<2.10.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-41901.
The severity of CVE-2022-41901 is high.
Google TensorFlow versions up to 2.8.4, versions between 2.9.0 and 2.9.3, and versions between 2.10.0 and 2.10.1 are affected by CVE-2022-41901.
You can fix CVE-2022-41901 by updating TensorFlow to a version higher than 2.10.1 or applying the patch provided in the GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693.
The CWE ID for CVE-2022-41901 is CWE-617 and CWE-20.