CVE-2022-29208

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.9.0 TensorFlow versions prior to 2.8.1 TensorFlow versions prior to 2.7.2 TensorFlow versions prior to 2.6.4

Description The implementation of tf.raw ops.EditDistance has incomplete validation, allowing users to pass negative values and cause a segmentation fault based denial of service. In multiple places throughout the code, an index for a write operation is computed, but the existing validation only checks against the upper bound of the array, making it possible to write before the array by generating negative values for loc.

Recommendations For versions prior to 2.9.0, update to version 2.9.0 or later. For versions prior to 2.8.1, update to version 2.8.1 or later. For versions prior to 2.7.2, update to version 2.7.2 or later. For versions prior to 2.6.4, update to version 2.6.4 or later. As a temporary workaround, consider disabling the tf.raw ops.EditDistance function until a patch is available.