CVE-2022-35952

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier

Description The UnbatchGradOp function in TensorFlow takes an argument id that is assumed to be a scalar. A nonscalar id can trigger a CHECK failure and crash the program. It also requires its argument batch index to contain three times the number of elements as indicated in its batch index.dim size(0). An incorrect batch index can trigger a CHECK failure and crash the program.

Recommendations For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider disabling the UnbatchGradOp function until a patch is available. Restrict access to the batch index and id parameters in the affected API endpoint until the issue is resolved. Avoid using the id parameter with nonscalar values in the affected API endpoint until the issue is resolved. Avoid using the batch index parameter with incorrect sizes in the affected API endpoint until the issue is resolved.