CVE-2023-25801: Double Free
First published: Sat Mar 25 2023(Updated: )
TensorFlow is an open source machine learning platform. Prior to versions 2.12.0 and 2.11.1, `nn_ops.fractional_avg_pool_v2` and `nn_ops.fractional_max_pool_v2` require the first and fourth elements of their parameter `pooling_ratio` to be equal to 1.0, as pooling on batch and channel dimensions is not supported. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Google TensorFlow | <2.12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-25801.
What is the severity of CVE-2023-25801?
The severity of CVE-2023-25801 is high with a severity value of 7.8.
What is the affected software for CVE-2023-25801?
The affected software for CVE-2023-25801 is TensorFlow versions up to 2.12.0.
What is the fix for CVE-2023-25801?
To fix CVE-2023-25801, upgrade to TensorFlow versions 2.12.0 or later and ensure that the first and fourth elements of the parameter 'pooling_ratio' in 'nn_ops.fractional_avg_pool_v2' and 'nn_ops.fractional_max_pool_v2' are equal to 1.0.
Where can I find more information about CVE-2023-25801?
You can find more information about CVE-2023-25801 in the following references: [GitHub Commit](https://github.com/tensorflow/tensorflow/commit/ee50d1e00f81f62a4517453f721c634bbb478307), [GitHub Security Advisory](https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f49c-87jh-g47q).
- collector/nvd-index
- vendor/google
- canonical/google tensorflow