CVE-2022-41900

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.11.0 TensorFlow version 2.10.1 and earlier

Description The issue results in FractionalMax(AVG)Pool with an illegal pooling ratio, allowing attackers to access heap memory not under user control, potentially leading to a crash or remote code execution. An input pooling ratio that is smaller than 1 will trigger a heap out-of-bounds in tf.raw ops.FractionalMaxPool and tf.raw ops.FractionalAvgPool.

Recommendations For TensorFlow versions prior to 2.11.0, update to TensorFlow 2.11.0 to resolve the issue. For TensorFlow version 2.10.1 and earlier, cherry pick the commit 216525144ee7c910296f5b05d214ca1327c9ce48 or update to a version that includes this commit to fix the vulnerability. As a temporary workaround, consider validating the pooling ratio input to ensure it is not smaller than 1 to prevent heap out-of-bounds in tf.raw ops.FractionalMaxPool and tf.raw ops.FractionalAvgPool.