CVE-2022-41911

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.11.0 TensorFlow versions 2.10.1 and earlier TensorFlow versions 2.9.3 and earlier TensorFlow versions 2.8.4 and earlier

Description The issue arises when printing a tensor, as the data is retrieved as a const char* array and then typecast to the element type. However, conversions from char to bool are undefined if the char is not 0 or 1, causing sanitizers and fuzzers to crash. The vulnerability was discovered via internal fuzzing.

Recommendations For TensorFlow versions prior to 2.11.0, update to version 2.11.0 or later. For TensorFlow versions 2.10.1 and earlier, update to version 2.10.1 or later, or apply the patch from GitHub commit 1be74370327. For TensorFlow versions 2.9.3 and earlier, update to version 2.9.3 or later, or apply the patch from GitHub commit 1be74370327. For TensorFlow versions 2.8.4 and earlier, update to version 2.8.4 or later, or apply the patch from GitHub commit 1be74370327. As a temporary workaround, consider avoiding the printing of tensors that may contain boolean values until the issue is resolved.