CVE-2023-25662

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.12.0 TensorFlow versions prior to 2.11.1

Description The issue is related to an integer overflow in the EditDistance function of TensorFlow, which can cause a deadlock when the hypothesis shape t is empty. This occurs because hypothesis shape t->NumElements() - 1 will result in an integer overflow. The vulnerability can be exploited by passing a specific set of parameters to the tf.raw ops.EditDistance function, including empty hypothesis shape and truth shape.

Recommendations For versions prior to 2.12.0, update to TensorFlow version 2.12.0 to resolve the issue. For versions prior to 2.11.1, update to TensorFlow version 2.11.1 to resolve the issue. As a temporary workaround, consider avoiding the use of the tf.raw ops.EditDistance function with empty hypothesis shape and truth shape parameters until a patch is applied.