CVE-2023-25674

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.12.0 and 2.11.1

Description The issue is a null pointer error in RandomShuffle with XLA enabled. A fix is included in TensorFlow 2.12.0 and 2.11.1. The error can be triggered by using the tf.raw ops.RandomShuffle function with specific parameters, such as value, seed, and seed2. For example, using the parameters {'value': 1e+20, 'seed': -4294967297, 'seed2': -2147483649} can cause the error.

Recommendations To resolve the issue, update to TensorFlow 2.12.0 or 2.11.1, as these versions include the fix for the null pointer error in RandomShuffle with XLA enabled. As a temporary workaround, consider disabling the XLA enable feature for the tf.raw ops.RandomShuffle function until a patch is available. Restrict access to the tf.raw ops.RandomShuffle function to minimize the risk of exploitation. Avoid using the parameters value, seed, and seed2 in the affected tf.raw ops.RandomShuffle function until the issue is resolved.