Wang Xuan

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.12 TensorFlow version 2.11.1 and earlier **Description** Constructing a tflite model with a parameter `filter input channel` of less than 1 gives a Floating Point Exception (FPE). This issue affects TensorFlow, an end-to-end open source platform for machine learning. **Recommendations** For versions prior to 2.12, update to version 2.12 or later to resolve the issue. For version 2.11.1 and earlier, wait for the fix commit to be cherry-picked or update to a newer version when available. As a temporary workaround, consider avoiding the construction of tflite models with a `filter input channel` parameter of less than 1 until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PaddlePaddle versions prior to 2.4 **Description** The issue is an out-of-bounds read in the `gather tree` function. This problem affects PaddlePaddle versions before 2.4. A patch for this issue is available in the `release/2.4` branch. **Recommendations** For versions prior to 2.4, update to version 2.4 or later to resolve the issue. As a temporary workaround, consider disabling the `gather tree` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue arises during the inference shape operation of the Transpose operator. If the value in the `perm` element is greater than or equal to the size of the `input shape`, it will access data outside the bounds of `input shape`, which is allocated from heap buffers. This is a buffer overflow issue that can potentially lead to data corruption or other security problems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue arises when performing the inference shape operation of the SparseToDense operator with less than three inputs, causing it to access data outside the bounds of inputs allocated from heap buffers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TensorFlow (affected versions not specified) **Description** The issue arises when the DepthwiseConv2D operator is used with its `depth multiplier` attribute set to 0. This configuration leads to a division by 0 exception during the analytical operation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue occurs when the Reduce operator run operation is executed and there is a value of 0 in the parameter `axis sizes` element, causing a division by 0 exception. No information is provided about the estimated number of potentially affected devices or real-world incidents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions (affected versions not specified) **Description** The issue arises when the SpaceToBatch operator performs the derivation shape operation and encounters a value of 0 in the `block shape` element, leading to a division by 0 exception. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue occurs when performing the initialization operation of the Split operator. If a dimension in the input shape is 0, it will cause a division by 0 exception. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue occurs when performing the inference shape operation of the Tile operator. If the input data type is not int or int32, it will access data outside of the bounds of heap allocated buffers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue occurs when performing inference shape operations on certain operators, including Affine, Concat, MatMul, ArgMinMax, EmbeddingLookup, and Gather. If the input shape size is 0, it can lead to accessing data outside the bounds of the allocated shape from heap buffers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier **Description** An attacker can craft a TFLite model that would cause an integer overflow in `TfLiteIntArrayCreate`. The `TfLiteIntArrayGetSizeInBytes` returns an `int` instead of a `size t`. An attacker can control model inputs such that `computed size` overflows the size of `int` datatype. **Recommendations** For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions 2.7.1 and earlier, update to TensorFlow 2.7.1 or later. For versions 2.6.3 and earlier, update to TensorFlow 2.6.3 or later. For versions 2.5.3 and earlier, update to TensorFlow 2.5.3 or later. As a temporary workaround, consider restricting the use of `TfLiteIntArrayCreate` and `TfLiteIntArrayGetSizeInBytes` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.0 through 2.7.0 TensorFlow versions 2.6.0 through 2.6.2 TensorFlow versions 2.5.0 through 2.5.2 **Description** An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations. Both `embedding size` and `lookup size` are products of values provided by the user, allowing a malicious user to trigger overflows in the multiplication. This can result in heap OOB read/write in certain scenarios. **Recommendations** For TensorFlow versions prior to 2.8.0, upgrade to version 2.8.0 or later. For TensorFlow versions 2.7.0 through 2.7.0, upgrade to version 2.7.1 or later. For TensorFlow versions 2.6.0 through 2.6.2, upgrade to version 2.6.3 or later. For TensorFlow versions 2.5.0 through 2.5.2, upgrade to version 2.5.3 or later. As a temporary workaround, consider restricting the use of user-provided values for `embedding size` and `lookup size` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions 2.5.3 through 2.7.1 TensorFlow version 2.8.0 is not affected, as it includes the fix. **Description** An attacker can craft a TFLite model that would allow limited reads and writes outside of arrays in TFLite. This exploits missing validation in the conversion from sparse tensors to dense tensors. **Recommendations** For TensorFlow versions 2.5.3, 2.6.3, and 2.7.1, upgrade to the respective patched versions as soon as possible. For TensorFlow versions prior to 2.8.0, upgrade to version 2.8.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of TFLite models until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions prior to 2.7.1 TensorFlow versions prior to 2.6.3 TensorFlow versions prior to 2.5.3 **Description** An attacker can craft a TFLite model to cause a write outside the bounds of an array in TFLite, potentially overriding the linked list used by the memory allocator. This can be leveraged for an arbitrary write primitive under certain conditions. **Recommendations** For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions prior to 2.7.1, update to TensorFlow 2.7.1 or later. For versions prior to 2.6.3, update to TensorFlow 2.6.3 or later. For versions prior to 2.5.3, update to TensorFlow 2.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1, 2.6.3, and 2.5.3 are also affected **Description** An attacker can craft a TFLite model that would trigger a division by zero in the `BiasAndClamp` implementation. There is no check that the `bias size` is non zero. The issue is related to the `BiasAndClamp` function, which does not verify if the `bias size` is non-zero before performing operations. **Recommendations** For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For version 2.7.1, update to a version that includes the cherrypicked commit. For version 2.6.3, update to a version that includes the cherrypicked commit. For version 2.5.3, update to a version that includes the cherrypicked commit. As a temporary workaround, consider disabling the `BiasAndClamp` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1, 2.6.3, and 2.5.3 are also affected **Description** An attacker can craft a TFLite model to trigger a division by zero in the implementation of depthwise convolutions. The parameters of the convolution, which are user-controlled, are used in a division operation to determine the padding size before applying the convolution. There is no check to ensure the divisor is strictly positive. **Recommendations** For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For version 2.7.1, update to a version that includes the cherrypicked commit. For version 2.6.3, update to a version that includes the cherrypicked commit. For version 2.5.3, update to a version that includes the cherrypicked commit. As a temporary workaround, consider restricting the use of user-controlled convolution parameters to minimize the risk of exploitation.