CVE-2022-23585

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.8.0 TensorFlow version 2.7.1 TensorFlow version 2.6.3 TensorFlow version 2.5.3

Description When decoding PNG images, TensorFlow can produce a memory leak if the image is invalid. After calling png::CommonInitDecode(..., &decode), the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode(&decode). However, several error cases in the function implementation invoke the OP REQUIRES macro, which immediately terminates the execution of the function without allowing for the memory to be freed.

Recommendations For TensorFlow versions prior to 2.8.0, update to version 2.8.0 or later to resolve the issue. For TensorFlow version 2.7.1, update to a newer version that includes the fix, such as version 2.8.0. For TensorFlow version 2.6.3, update to a newer version that includes the fix, such as version 2.8.0. For TensorFlow version 2.5.3, update to a newer version that includes the fix, such as version 2.8.0. As a temporary workaround, consider disabling the decoding of PNG images until a patch is available.