Yu Tian

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.12.0 TensorFlow versions prior to 2.11.1 **Description** The issue occurs when the parameter `summarize` of `tf.raw ops.Print` is zero, causing the new method `SummarizeArray<bool>` to reference a nullptr, leading to a seg fault. **Recommendations** For versions prior to 2.12.0, update to TensorFlow version 2.12.0 or later. For versions prior to 2.11.1, update to TensorFlow version 2.11.1 or later. As a temporary workaround, consider avoiding the use of the `summarize` parameter with a value of 0 in the `tf.raw ops.Print` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.12.0 and 2.11.1 **Description** The issue occurs when `ctx->step containter()` is a null pointer, causing the Lookup function to be executed with a null pointer. This can be triggered in certain scenarios, such as when using the `tf.raw ops.TensorArrayConcatV2` function with specific parameters, including `handle`, `flow in`, `dtype`, and `element shape except0`. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For versions prior to 2.12.0, update to version 2.12.0 to resolve the issue. For versions prior to 2.11.1, update to version 2.11.1 to resolve the issue. As a temporary workaround, consider avoiding the use of the `tf.raw ops.TensorArrayConcatV2` function with a null `ctx->step containter()` until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.12.0 TensorFlow versions prior to 2.11.1 **Description** The issue occurs when `SparseSparseMaximum` is given invalid sparse tensors as inputs, resulting in a null pointer error. This is a problem in the TensorFlow open source platform for machine learning. **Recommendations** For versions prior to 2.12.0, update to TensorFlow version 2.12 or later. For versions prior to 2.11.1, update to TensorFlow version 2.11.1 or later. As a temporary workaround, consider avoiding the use of `SparseSparseMaximum` with invalid sparse tensors until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.11 TensorFlow versions 2.10.1, 2.9.3, and 2.8.4 **Description** The issue occurs when the `BaseCandidateSamplerOp` function receives a value in `true classes` larger than `range max`, resulting in a heap out-of-bounds read. This can be triggered by calling the `tf.raw ops.ThreadUnsafeUnigramCandidateSampler` function with a `true classes` value exceeding the `range max` parameter. **Recommendations** For TensorFlow versions prior to 2.11, update to version 2.11 or later. For TensorFlow version 2.10.1, apply the patch from GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. For TensorFlow version 2.9.3, apply the patch from GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. For TensorFlow version 2.8.4, apply the patch from GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. As a temporary workaround, consider restricting the input values for `true classes` to prevent them from exceeding the `range max` value.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.11 TensorFlow versions 2.10.1, 2.9.3, and 2.8.4 **Description** TensorFlow is an open source platform for machine learning. If `FractionMaxPoolGrad` is given outsize inputs `row pooling sequence` and `col pooling sequence`, TensorFlow will crash. **Recommendations** For versions prior to 2.11, update to TensorFlow 2.11. For version 2.10.1, apply the patch from GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927 or update to a newer version. For version 2.9.3, apply the patch from GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927 or update to a newer version. For version 2.8.4, apply the patch from GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927 or update to a newer version. As a temporary workaround, consider restricting the use of `FractionMaxPoolGrad` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.11 TensorFlow versions 2.10.1 and earlier TensorFlow versions 2.9.3 and earlier TensorFlow versions 2.8.4 and earlier **Description** The issue arises when the `MirrorPadGrad` function is given oversized input `paddings`, resulting in a heap OOB error. This can be triggered by providing large values for the `paddings` parameter, such as `[[0x77f00000,0xa000000]]`, in the `tf.raw ops.MirrorPadGrad` operation with the `mode` set to `'REFLECT'`. **Recommendations** For versions prior to 2.11, update to TensorFlow 2.11 or later. For versions 2.10.1 and earlier, update to TensorFlow 2.10.1 or later, or apply the patch from GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. For versions 2.9.3 and earlier, update to TensorFlow 2.9.3 or later, or apply the patch from GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. For versions 2.8.4 and earlier, update to TensorFlow 2.8.4 or later, or apply the patch from GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. As a temporary workaround, consider restricting the input values for the `paddings` parameter in the `tf.raw ops.MirrorPadGrad` operation to prevent oversized inputs.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.11 TensorFlow versions 2.10.1, 2.9.3, and 2.8.4 **Description** TensorFlow is an open source platform for machine learning. If `ThreadUnsafeUnigramCandidateSampler` is given input `filterbank channel count` greater than the allowed max size, TensorFlow will crash. **Recommendations** For TensorFlow versions prior to 2.11, update to version 2.11 or later. For TensorFlow version 2.10.1, update to a version that includes the patch from GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. For TensorFlow version 2.9.3, update to a version that includes the patch from GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. For TensorFlow version 2.8.4, update to a version that includes the patch from GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. As a temporary workaround, consider restricting the input `filterbank channel count` to prevent it from exceeding the allowed max size.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1, 2.6.3, and 2.5.3 are also affected **Description** The implementation of `ThreadPoolHandle` can be used to trigger a denial of service attack by allocating too much memory. This is because the `num threads` argument is only checked to not be negative, but there is no upper bound on its value. **Recommendations** For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later to resolve the issue. For version 2.7.1, update to a version that includes the cherrypicked commit. For version 2.6.3, update to a version that includes the cherrypicked commit. For version 2.5.3, update to a version that includes the cherrypicked commit. As a temporary workaround, consider restricting the value of the `num threads` argument to prevent excessive memory allocation.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier **Description** The estimator for the cost of some convolution operations in TensorFlow can be made to execute a division by 0 due to a failure to check that the stride argument is strictly positive. This issue can be exploited by providing a stride argument of 0. The function `GetOutputSize` is vulnerable due to its calculation of output shape. For example, the `strides` argument in the `tf.raw ops.AvgPoolGrad` function can be set to `[1,1,1,0]` to trigger the division by 0. **Recommendations** For TensorFlow versions prior to 2.8.0, update to version 2.8.0 or later to resolve the issue. For TensorFlow versions 2.7.1 and earlier, update to version 2.7.1 or later to resolve the issue. For TensorFlow versions 2.6.3 and earlier, update to version 2.6.3 or later to resolve the issue. For TensorFlow versions 2.5.3 and earlier, update to version 2.5.3 or later to resolve the issue. As a temporary workaround, consider adding a check for the `strides` argument to ensure it is valid before passing it to the `tf.raw ops.AvgPoolGrad` function.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier **Description** The implementation of `StringNGrams` can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. This is due to missing validation on `pad width`, resulting in computing a negative value for `ngram width`, which is later used to allocate parts of the output. **Recommendations** For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions 2.7.1 and earlier, update to TensorFlow 2.7.1 or later. For versions 2.6.3 and earlier, update to TensorFlow 2.6.3 or later. For versions 2.5.3 and earlier, update to TensorFlow 2.5.3 or later. As a temporary workaround, consider disabling the `StringNGrams` function until a patch is available. Restrict access to the `StringNGrams` function to minimize the risk of exploitation. Avoid using the `pad width` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier **Description** The implementation of `Dequantize` does not fully validate the value of `axis` and can result in heap OOB accesses. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor. **Recommendations** For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions 2.7.1 and earlier, update to TensorFlow 2.7.1 or later. For versions 2.6.3 and earlier, update to TensorFlow 2.6.3 or later. For versions 2.5.3 and earlier, update to TensorFlow 2.5.3 or later. As a temporary workaround, consider validating the `axis` argument to prevent heap OOB accesses.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier **Description** The implementation of shape inference for `Dequantize` is vulnerable to an integer overflow weakness. The `axis` argument can be `-1` (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked, and, since the code computes `axis + 1`, an attacker can trigger an integer overflow. **Recommendations** For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions 2.7.1 and earlier, update to TensorFlow 2.7.1 or later. For versions 2.6.3 and earlier, update to TensorFlow 2.6.3 or later. For versions 2.5.3 and earlier, update to TensorFlow 2.5.3 or later. As a temporary workaround, consider restricting the use of the `axis` argument in the `Dequantize` function to prevent integer overflow.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier **Description** The implementation of shape inference for `ReverseSequence` does not fully validate the value of `batch dim` and can result in a heap OOB read. There is a check to make sure the value of `batch dim` does not go over the rank of the input, but there is no check for negative values. Negative dimensions are allowed in some cases to mimic Python's negative indexing, however if the value is too negative then the implementation of `Dim` would access elements before the start of an array. **Recommendations** For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions 2.7.1 and earlier, update to TensorFlow 2.7.1 or later. For versions 2.6.3 and earlier, update to TensorFlow 2.6.3 or later. For versions 2.5.3 and earlier, update to TensorFlow 2.5.3 or later. As a temporary workaround, consider restricting the use of the `ReverseSequence` function with negative `batch dim` values until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions 2.5.3 through 2.7.1 TensorFlow version 2.8.0 is not affected as it includes the fix. **Description** The implementation of `UnravelIndex` is vulnerable to a division by zero caused by an integer overflow bug. This issue can be exploited using the `tf.raw ops.UnravelIndex` function with specific parameters, such as `indices=-0x100000` and `dims=[0x100000,0x100000]`. The vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team. **Recommendations** For TensorFlow versions 2.5.3, 2.6.3, and 2.7.1, update to the respective patched versions to resolve the issue. For TensorFlow versions prior to 2.5.3, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider avoiding the use of the `UnravelIndex` function with large input values until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier **Description** The implementation of `FractionalAvgPoolGrad` does not consider cases where the input tensors are invalid, allowing an attacker to read from outside of bounds of heap. This issue can be exploited by providing invalid input tensors to the `FractionalAvgPoolGrad` function. **Recommendations** For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions 2.7.1 and earlier, update to TensorFlow 2.7.1 or later. For versions 2.6.3 and earlier, update to TensorFlow 2.6.3 or later. For versions 2.5.3 and earlier, update to TensorFlow 2.5.3 or later. As a temporary workaround, consider restricting the use of the `FractionalAvgPoolGrad` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier **Description** The implementation of shape inference for `ConcatV2` can be used to trigger a denial of service attack via a segfault caused by a type confusion. The `axis` argument is translated into `concat dim` in the `ConcatShapeHelper` helper function. Then, a value for `min rank` is computed based on `concat dim`. This is then used to validate that the `values` tensor has at least the required rank. However, `WithRankAtLeast` receives the lower bound as a 64-bits value and then compares it against the maximum 32-bits integer value that could be represented. Due to the fact that `min rank` is a 32-bits value and the value of `axis`, the `rank` argument is a negative value, so the error check is bypassed. **Recommendations** For TensorFlow versions prior to 2.8.0, update to version 2.8.0 or later to resolve the issue. For TensorFlow versions 2.7.1 and earlier, update to version 2.7.1 or later to resolve the issue. For TensorFlow versions 2.6.3 and earlier, update to version 2.6.3 or later to resolve the issue. For TensorFlow versions 2.5.3 and earlier, update to version 2.5.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `ConcatV2` function until a patch is available.