CVE-2022-35966

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1, 2.8.1, and 2.7.2

Description The issue occurs when QuantizedAvgPool is given min input or max input tensors of a nonzero rank, resulting in a segfault that can be used to trigger a denial of service attack.

Recommendations For TensorFlow versions prior to 2.10.0, update to version 2.10.0 or later. For TensorFlow versions 2.9.1, 2.8.1, and 2.7.2, cherrypick the commit 7cdf9d4d2083b739ec81cfdace546b0c99f50622 to resolve the issue. As a temporary workaround, consider avoiding the use of QuantizedAvgPool with min input or max input tensors of a nonzero rank until a patch is available.