CVE-2022-41889

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.11 TensorFlow versions 2.10.1 and earlier TensorFlow versions 2.9.3 and earlier TensorFlow versions 2.8.4 and earlier

Description TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr, which is not caught. An example can be seen in tf.compat.v1.extract volume patches by passing in quantized tensors as input ksizes.

Recommendations For versions prior to 2.11, update to TensorFlow 2.11 or later. For versions 2.10.1 and earlier, update to TensorFlow 2.10.1 or later. For versions 2.9.3 and earlier, update to TensorFlow 2.9.3 or later. For versions 2.8.4 and earlier, update to TensorFlow 2.8.4 or later. As a temporary workaround, consider avoiding the use of quantized tensors as input ksizes in tf.compat.v1.extract volume patches until a patch is available.