7.5
CWE
476 20
Advisory Published
Updated

CVE-2022-41909: Segfault in `CompositeTensorVariantToComponents` in Tensorflow

First published: Fri Nov 18 2022(Updated: )

TensorFlow is an open source platform for machine learning. An input `encoded` that is not a valid `CompositeTensorVariant` tensor will trigger a segfault in `tf.raw_ops.CompositeTensorVariantToComponents`. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Google TensorFlow<2.8.4
Google TensorFlow>=2.9.0<2.9.3
Google TensorFlow=2.10.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2022-41909?

    CVE-2022-41909 is a vulnerability in TensorFlow that can trigger a segfault in certain cases.

  • What is the severity of CVE-2022-41909?

    The severity of CVE-2022-41909 is high with a CVSS score of 7.5.

  • How does CVE-2022-41909 affect Google TensorFlow?

    CVE-2022-41909 affects Google TensorFlow versions up to 2.8.4, 2.9.0 up to 2.9.3, and exactly 2.10.0.

  • How can CVE-2022-41909 be fixed?

    CVE-2022-41909 can be fixed by applying the patches provided by TensorFlow in the GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d.

  • What actions can be taken to mitigate CVE-2022-41909?

    To mitigate CVE-2022-41909, update Google TensorFlow to a version that includes the relevant patches.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203