CVE-2022-23570

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.0 through 2.7.1 TensorFlow versions 2.6.0 through 2.6.3

Description When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This issue is guarded by a DCHECK, which is a no-op in production builds, allowing execution to proceed to the dereferencing of the null pointer, and an assertion failure in debug builds, resulting in a crash.

Recommendations For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions 2.7.0 through 2.7.1, update to TensorFlow 2.7.1 or later. For versions 2.6.0 through 2.6.3, update to TensorFlow 2.6.3 or later.

Exploit

Fix

NULL Pointer Dereference

Assertion Failure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476CWE-617

Related Identifiers

BIT-TENSORFLOW-2022-23570

CVE-2022-23570

GHSA-9P77-MMRW-69C7

OPENSUSE-SU-2024:12116-1

PYSEC-2022-134

PYSEC-2022-79

Affected Products

Tensorflow

CVE-2022-23570

Weakness Enumeration

Related Identifiers

Affected Products

References · 13