CVE-2022-41883 Out of bounds segmentation fault due to unequal op inputs in Tensorflow

TensorFlow is an open source platform for machine learning. When ops that have specified input sizes receive a differing number of inputs, the executor will crash. We have patched the issue in GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629. The fix will be included in TensorFlow 2.11. We...

CVE-2022-41883

CVE-2022-41883 affects TensorFlow. When ops with specified input sizes receive a differing number of inputs, the executor can crash due to an input-size mismatch. The issue has been patched in GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629 and will be included in TensorFlow 2.11; it will ...

CVE-2022-41898

TensorFlow CVE-2022-41898 causes a crash when SparseFillEmptyRowsGrad is given empty inputs. The issue was patched in commit af4a6a3c8b95022c351edae94560acc61253a1b8 and will be included in TensorFlow 2.11; the patch will also be cherry-picked to 2.10.1, 2.9.3, and 2.8.4, which are within the sup...

CVE-2022-41887

TensorFlow CVE-2022-41887 describes a buffer/size-mismatch overflow in tf.keras.losses.poisson when y_pred/y_true dimensions overflow an int32 during broadcasting in BinaryOp. A patch is committed (c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c) and will be included in TensorFlow 2.11; TensorFlow 2.10....

CVE-2022-41911

CVE-2022-41911 affects TensorFlow; root cause is an undefined char-to-bool conversion when printing a tensor, leading to sanitizer/fuzzer crashes. Patch is in GitHub commit 1be74370327 and will be included in TensorFlow 2.11.0, with backports to 2.10.1, 2.9.3, and 2.8.4. Public detail confirms im...

CVE-2022-41897

CVE-2022-41897 affects TensorFlow when FractionMaxPoolGrad receives outsize inputs in row_pooling_sequence or col_pooling_sequence, causing a crash due to a heap/out-of-bounds read. The issue is addressed in a GitHub commit (d71090c3e5ca325bdf4b02eb236cfb3ee823e927) and the fix will be included i...

CVE-2022-41899

CVE-2022-41899 — TensorFlow SdcaOptimizer rank check issue . The vulnerability occurs when inputs are not rank-2 and triggers a CHECK failure in SdcaOptimizer, potentially impacting availability. The root cause is a rank validation check in the optimizer. Patch available in GitHub commit 80ff197d...

CVE-2022-41889

TensorFlow CVE-2022-41889 affects the pywrap path when a list of quantized tensors is assigned to an attribute; the code may parse a tensor and return a nullptr that is not caught, risking a crash. A fix is committed (e9e95553e541) and will be included in TensorFlow 2.11, with cherry-picks to 2.1...

CVE-2022-41880

TensorFlow CVE-2022-41880 describes a heap-based out-of-bounds read in BaseCandidateSamplerOp when true_classes contains a value greater than range_max. A patch was committed (b389f5c944cadfdfe599b3f1e4026e036f30d2d4) and the fix is scheduled for TensorFlow 2.11, with cherry-picks to 2.10.1, 2.9....

CVE-2022-41900

TensorFlow CVE-2022-41900 affects FractionalMax(AVG)Pool due to an illegal pooling_ratio, potentially allowing access to heap memory and causing a crash or remote code execution. The issue has been patched in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48, with the fix scheduled for Tenso...

CVE-2022-41894

CVE-2022-41894 affects TensorFlow/TFLite CONV_3D_TRANSPOSE reference kernel. The bug increments data_ptr by num_channels instead of output_num_channels, enabling an out-of-bounds write to the bias buffer when input channels exceed output channels. Attack requires using the reference kernel resolv...

CVE-2022-41891

CVE-2022-41891 (TensorFlow) : A segmentation fault occurs in tf.raw_ops.TensorListConcat when element_shape is []; this can trigger a denial-of-service. A patch was committed (fc33f3dc4c14051a83eec6535b608abe1d355fde) and will be included in TensorFlow 2.11. TensorFlow 2.10.1, 2.9.3, and 2.8.4 wi...

CVE-2022-41909

CVE-2022-41909 affects TensorFlow: an input encoded that is not a valid CompositeTensorVariant can cause a segfault in tf.raw_ops.CompositeTensorVariantToComponents. Patches are in commits bf594d08d... and 660ce5a89e..., with the fix slated for TensorFlow 2.11 and cherry-picked to 2.10.1, 2.9.3, ...

CVE-2022-41898 `CHECK` fail via inputs in `SparseFillEmptyRowsGrad` in Tensorflow

TensorFlow is an open source platform for machine learning. If SparseFillEmptyRowsGrad is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commi...

CVE-2022-41893

CVE-2022-41893 affects TensorFlow where calling tf.raw_ops.TensorListResize with a nonscalar input for size triggers a CHECK failure, enabling a denial of service as described in the advisory. The root cause is a validation flaw in TensorListResize; a fix was committed (GitHub commit 888e34b49009...

CVE-2022-41895

TensorFlow CVE-2022-41895 describes a heap-out-of-bounds read in MirrorPadGrad when input paddings are out of range. The issue is fixed in commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92 and will be included in TensorFlow 2.11; a cherry-pick will be applied to 2.10.1, 2.9.3, and 2.8.4 for affecte...

CVE-2022-41887 Overflow in `tf.keras.losses.poisson` in Tensorflow

TensorFlow is an open source platform for machine learning. tf.keras.losses.poisson receives a ypred and ytrue that are passed through functor::mul in BinaryOp. If the resulting dimensions overflow an int32, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched...

CVE-2022-41901 `CHECK_EQ` fail via input in `SparseMatrixNNZ` in Tensorflow

TensorFlow is an open source platform for machine learning. An input sparsematrix that is not a matrix with a shape with rank 0 will trigger a CHECK fail in tf.rawops.SparseMatrixNNZ. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in...

CVE-2022-41907 Overflow in `ResizeNearestNeighborGrad` in Tensorflow

TensorFlow is an open source platform for machine learning. When tf.rawops.ResizeNearestNeighborGrad is given a large size input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick...

CVE-2022-41907 Overflow in `ResizeNearestNeighborGrad` in Tensorflow

TensorFlow is an open source platform for machine learning. When tf.rawops.ResizeNearestNeighborGrad is given a large size input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick...