CVE-2022-36001

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier

Description The issue occurs when the DrawBoundingBoxes function receives an input boxes that is not of dtype float, resulting in a CHECK fail that can trigger a denial of service attack. This can happen when the input boxes has a different data type, such as tf.half. The estimated number of potentially affected devices is not provided. There are no known real-world incidents where this issue was exploited.

Recommendations For TensorFlow versions prior to 2.10.0, update to version 2.10.0 or later. For TensorFlow versions 2.9.1 and earlier, update to version 2.9.1 or later. For TensorFlow versions 2.8.1 and earlier, update to version 2.8.1 or later. For TensorFlow versions 2.7.2 and earlier, update to version 2.7.2 or later. As a temporary workaround, consider validating the input data type for the boxes parameter in the DrawBoundingBoxes function to ensure it is of dtype float before passing it to the function.