PT-2022-15076 · Google · Tensorflow
Faysal Hossain Shezan
·
Published
2022-02-03
·
Updated
2024-03-06
·
CVE-2022-21736
CVSS v3.1
7.6
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
TensorFlow versions prior to 2.8.0
TensorFlow versions 2.7.1, 2.6.3, and 2.5.3 are also affected
Description
The implementation of
SparseTensorSliceDataset has an undefined behavior, which can cause a nullptr value to be dereferenced under certain conditions. The 3 input arguments to SparseTensorSliceDataset represent a sparse tensor, but the preconditions for these arguments are not validated in the implementation.Recommendations
For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later to resolve the issue.
For version 2.7.1, update to a version that includes the cherrypicked commit.
For version 2.6.3, update to a version that includes the cherrypicked commit.
For version 2.5.3, update to a version that includes the cherrypicked commit.
As a temporary workaround, consider validating the input arguments to
SparseTensorSliceDataset to ensure they satisfy the required preconditions.Exploit
Fix
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tensorflow