First published: Fri Nov 18 2022(Updated: )
TensorFlow is an open source platform for machine learning. An input `encoded` that is not a valid `CompositeTensorVariant` tensor will trigger a segfault in `tf.raw_ops.CompositeTensorVariantToComponents`. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Google TensorFlow | <2.8.4 | |
Google TensorFlow | >=2.9.0<2.9.3 | |
Google TensorFlow | =2.10.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-41909 is a vulnerability in TensorFlow that can trigger a segfault in certain cases.
The severity of CVE-2022-41909 is high with a CVSS score of 7.5.
CVE-2022-41909 affects Google TensorFlow versions up to 2.8.4, 2.9.0 up to 2.9.3, and exactly 2.10.0.
CVE-2022-41909 can be fixed by applying the patches provided by TensorFlow in the GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d.
To mitigate CVE-2022-41909, update Google TensorFlow to a version that includes the relevant patches.