CVE-2022-36011

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier

Description The issue occurs when the mlir::tfg::ConvertGenericFunctionToFunctionDef function is given empty function attributes, resulting in a null dereference. This happens when the namedAttr.first is empty, causing the program to crash. The estimated number of potentially affected devices worldwide is not available.

Recommendations For TensorFlow versions prior to 2.10.0, update to version 2.10.0 or later. For TensorFlow versions 2.9.1 and earlier, update to version 2.9.1 or later, or apply the patch from GitHub commit 1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b. For TensorFlow versions 2.8.1 and earlier, update to version 2.8.1 or later, or apply the patch from GitHub commit 1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b. For TensorFlow versions 2.7.2 and earlier, update to version 2.7.2 or later, or apply the patch from GitHub commit 1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b. As a temporary workaround, consider adding a check to ensure that namedAttr.first is not empty before processing it.