CVE-2022-21733

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier

Description The implementation of StringNGrams can be used to trigger a denial of service attack by causing an out of memory condition after an integer overflow. This is due to missing validation on pad width, resulting in computing a negative value for ngram width, which is later used to allocate parts of the output.

Recommendations For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions 2.7.1 and earlier, update to TensorFlow 2.7.1 or later. For versions 2.6.3 and earlier, update to TensorFlow 2.6.3 or later. For versions 2.5.3 and earlier, update to TensorFlow 2.5.3 or later. As a temporary workaround, consider disabling the StringNGrams function until a patch is available. Restrict access to the StringNGrams function to minimize the risk of exploitation. Avoid using the pad width parameter in the affected API endpoint until the issue is resolved.