CVE-2022-35984

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier

Description The issue arises from ParameterizedTruncatedNormal assuming shape is of type int32, but a valid shape of type int64 results in a mismatched type CHECK fail that can be used to trigger a denial of service attack. This can be exploited by providing a shape variable of type int64. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider avoiding the use of ParameterizedTruncatedNormal with shape variables of type int64 until a patch is available.