PT-2022-26140 · Google · Tensorflow

Published

2022-11-18

Updated

2024-03-06

CVE-2022-41909

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.11 TensorFlow versions 2.10.1, 2.9.3, and 2.8.4

Description TensorFlow is an open source platform for machine learning. An input encoded that is not a valid CompositeTensorVariant tensor will trigger a segfault in tf.raw ops.CompositeTensorVariantToComponents.

Recommendations For TensorFlow versions prior to 2.11, update to version 2.11 or later. For TensorFlow versions 2.10.1, 2.9.3, and 2.8.4, apply the cherrypicked commit to resolve the issue. As a temporary workaround, consider validating the input encoded to ensure it is a valid CompositeTensorVariant tensor before passing it to tf.raw ops.CompositeTensorVariantToComponents.

Exploit

Fix

NULL Pointer Dereference

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476CWE-20

Related Identifiers

AZL-11543

BIT-TENSORFLOW-2022-41909

CVE-2022-41909

GHSA-RJX6-V474-2CH9

Affected Products

Tensorflow

PT-2022-26140 · Google · Tensorflow

CVE-2022-41909

Weakness Enumeration

Related Identifiers

Affected Products

References · 12