CVE-2022-35996

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.0 through 2.9.0 TensorFlow versions 2.8.0 through 2.8.0 TensorFlow versions 2.7.0 through 2.7.1

Description The issue occurs when the Conv2D function is given an empty input and valid filter and padding sizes, resulting in an all-zeros output. This causes division-by-zero floating point exceptions that can be used to trigger a denial of service attack.

Recommendations For TensorFlow versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For TensorFlow versions 2.9.0, update to TensorFlow 2.9.1 or later. For TensorFlow versions 2.8.0, update to TensorFlow 2.8.1 or later. For TensorFlow versions 2.7.0 and 2.7.1, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider avoiding the use of the Conv2D function with empty input until a patch is available.