CVE-2022-35964

Name of the Vulnerable Software and Affected Versions TensorFlow versions 2.7.2 through 2.9.1 TensorFlow version 2.10.0 is not affected as it includes the fix.

Description The implementation of BlockLSTMGradV2 does not fully validate its inputs, resulting in a segfault that can be used to trigger a denial of service attack. Specifically, the inputs wci, wcf, wco, b must be rank 1, w, cs prev, h prev must be rank 2, and x must be rank 3.

Recommendations For TensorFlow versions 2.7.2, 2.8.1, and 2.9.1, update to the respective patched versions to resolve the issue. For TensorFlow versions prior to 2.7.2, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the use of BlockLSTMGradV2 until a patch is available.