CVE-2022-35985

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier

Description The issue arises when the LRNGrad function is given an output image input tensor that is not 4-D, resulting in a CHECK fail that can be used to trigger a denial of service attack. This can be exploited by providing a malformed input tensor to the tf.raw ops.LRNGrad function, specifically the output image parameter. The estimated number of potentially affected devices worldwide is not provided.

Recommendations For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider validating the dimensions of the output image tensor before passing it to the LRNGrad function to prevent the denial of service attack.