PT-2022-16110 · Google · Tensorflow

Mihaimaruseac

Published

2022-02-04

Updated

2024-03-06

CVE-2022-23593

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions TensorFlow version 2.8.0

Description The simplifyBroadcast function in the MLIR-TFRT infrastructure is vulnerable to a segfault, resulting in a denial of service, when called with scalar shapes. If all shapes are scalar, the maxRank is 0, leading to the construction of an empty SmallVector.

Recommendations For TensorFlow version 2.8.0, update to a version that includes the fix, which will be available in the next release. As a temporary workaround, consider avoiding the use of scalar shapes with the simplifyBroadcast function until the patch is applied.

Exploit

Fix

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-754

Related Identifiers

BIT-TENSORFLOW-2022-23593

CVE-2022-23593

GHSA-GWCX-JRX4-92W2

PYSEC-2022-102

PYSEC-2022-157

Affected Products

Tensorflow

PT-2022-16110 · Google · Tensorflow

CVE-2022-23593

Weakness Enumeration

Related Identifiers

Affected Products

References · 13