CVE-2022-21729

Name of the Vulnerable Software and Affected Versions TensorFlow versions 2.5.3 through 2.7.1 TensorFlow version 2.8.0 is not affected as it includes the fix.

Description The implementation of UnravelIndex is vulnerable to a division by zero caused by an integer overflow bug. This issue can be exploited using the tf.raw ops.UnravelIndex function with specific parameters, such as indices=-0x100000 and dims=[0x100000,0x100000]. The vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team.

Recommendations For TensorFlow versions 2.5.3, 2.6.3, and 2.7.1, update to the respective patched versions to resolve the issue. For TensorFlow versions prior to 2.5.3, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider avoiding the use of the UnravelIndex function with large input values until a patch is available.