CVE-2022-23595

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier

Description The issue occurs when building an XLA compilation cache with default settings, triggering a null pointer dereference. In the default scenario, all devices are allowed, so flr->config proto is nullptr. This happens because the gpu options and visible device list are accessed without checking if flr->config proto is null.

Recommendations For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions 2.7.1 and earlier, update to TensorFlow 2.7.1 or later. For versions 2.6.3 and earlier, update to TensorFlow 2.6.3 or later. For versions 2.5.3 and earlier, update to TensorFlow 2.5.3 or later. As a temporary workaround, consider modifying the default settings to avoid the null pointer dereference until a patch is available.