CVE-2023-25668

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.12.0 TensorFlow versions prior to 2.11.1

Description TensorFlow is an open source platform for machine learning. Attackers using TensorFlow can access heap memory which is not in the control of the user, leading to a crash or remote code execution. The issue occurs when the axis is larger than the dimension of the input, causing c->Dim(input,axis) to go out of bounds. This problem also affects the QuantizeAndDequantizeV2/V3/V4/V4Grad operations.

Recommendations For TensorFlow versions prior to 2.12.0, update to version 2.12.0 to resolve the issue. For TensorFlow versions prior to 2.11.1, update to version 2.11.1 to resolve the issue. As a temporary workaround, consider restricting access to the QuantizeAndDequantizeV2/V3/V4/V4Grad operations until a patch is available. Avoid using the axis parameter with large values in the affected API endpoints until the issue is resolved.