CVE-2022-41883

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.11 TensorFlow version 2.10.1 TensorFlow version 2.9.3 TensorFlow version 2.8.4

Description The issue occurs when ops with specified input sizes receive a differing number of inputs, causing the executor to crash. This is demonstrated in the tf.raw ops.DynamicStitch operation, which specifies input sizes when registered. When it receives a differing number of inputs, such as when called with an indices size 1 and a data size 2, it will crash. The estimated number of potentially affected devices is not provided.

Recommendations For TensorFlow versions prior to 2.11, update to version 2.11 or later. For TensorFlow version 2.10.1, apply the patch from GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629 or update to a later version. For TensorFlow version 2.9.3, apply the patch from GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629 or update to a later version. For TensorFlow version 2.8.4, apply the patch from GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629 or update to a later version. As a temporary workaround, consider avoiding the use of the tf.raw ops.DynamicStitch operation with differing input sizes until a patch is applied or the version is updated.