CVE-2022-41887 Overflow in `tf.keras.losses.poisson` in Tensorflow

TensorFlow is an open source platform for machine learning. tf.keras.losses.poisson receives a ypred and ytrue that are passed through functor::mul in BinaryOp. If the resulting dimensions overflow an int32, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched...

CVE-2022-41909 Segfault in `CompositeTensorVariantToComponents` in Tensorflow

TensorFlow is an open source platform for machine learning. An input encoded that is not a valid CompositeTensorVariant tensor will trigger a segfault in tf.rawops.CompositeTensorVariantToComponents. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and...

CVE-2022-41887 Overflow in `tf.keras.losses.poisson` in Tensorflow

TensorFlow is an open source platform for machine learning. tf.keras.losses.poisson receives a ypred and ytrue that are passed through functor::mul in BinaryOp. If the resulting dimensions overflow an int32, TensorFlow will crash due to a size mismatch during broadcast assignment. We have patched...

CVE-2022-41884

CVE-2022-41884 affects TensorFlow. A numpy array has a shape where one element is zero and the others sum to a large number, triggering an error. The issue has been fixed in commit 2b56169c16e375c521a3bc8ea658811cc0793784 and will be included in TensorFlow 2.11; the fix will also be cherry-picked...

CVE-2022-41889

TensorFlow CVE-2022-41889 affects the pywrap path when a list of quantized tensors is assigned to an attribute; the code may parse a tensor and return a nullptr that is not caught, risking a crash. A fix is committed (e9e95553e541) and will be included in TensorFlow 2.11, with cherry-picks to 2.1...

CVE-2022-41893

CVE-2022-41893 affects TensorFlow where calling tf.raw_ops.TensorListResize with a nonscalar input for size triggers a CHECK failure, enabling a denial of service as described in the advisory. The root cause is a validation flaw in TensorListResize; a fix was committed (GitHub commit 888e34b49009...

CVE-2022-41897 `FractionalMaxPoolGrad` Heap out of bounds read in Tensorflow

TensorFlow is an open source platform for machine learning. If FractionMaxPoolGrad is given outsize inputs rowpoolingsequence and colpoolingsequence, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow...

CVE-2022-41893 `CHECK_EQ` fail in `tf.raw_ops.TensorListResize` in Tensorflow

TensorFlow is an open source platform for machine learning. If tf.rawops.TensorListResize is given a nonscalar value for input size, it results CHECK fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56...

CVE-2022-41901 `CHECK_EQ` fail via input in `SparseMatrixNNZ` in Tensorflow

TensorFlow is an open source platform for machine learning. An input sparsematrix that is not a matrix with a shape with rank 0 will trigger a CHECK fail in tf.rawops.SparseMatrixNNZ. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in...

CVE-2022-41894

CVE-2022-41894 affects TensorFlow/TFLite CONV_3D_TRANSPOSE reference kernel. The bug increments data_ptr by num_channels instead of output_num_channels, enabling an out-of-bounds write to the bias buffer when input channels exceed output channels. Attack requires using the reference kernel resolv...

CVE-2022-41911

CVE-2022-41911 affects TensorFlow; root cause is an undefined char-to-bool conversion when printing a tensor, leading to sanitizer/fuzzer crashes. Patch is in GitHub commit 1be74370327 and will be included in TensorFlow 2.11.0, with backports to 2.10.1, 2.9.3, and 2.8.4. Public detail confirms im...

CVE-2022-41909 Segfault in `CompositeTensorVariantToComponents` in Tensorflow

TensorFlow is an open source platform for machine learning. An input encoded that is not a valid CompositeTensorVariant tensor will trigger a segfault in tf.rawops.CompositeTensorVariantToComponents. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and...

CVE-2022-41907

CVE-2022-41907 affects TensorFlow: when calling tf.raw_ops.ResizeNearestNeighborGrad with a very large size, an integer overflow occurs in the operation. The issue has been fixed in commit 00c821af032ba9e5f5fa3fe14690c8d28a657624 and the fix will be included in TensorFlow 2.11; TensorFlow 2.10.1,...

CVE-2022-41890

CVE-2022-41890 (TensorFlow) : A bug in BCast::ToShape can crash TensorFlow when given input larger than int32, despite intended int64 support. A GitHub commit (8310bf8dd188ff780e7fc53245058215a05bdbe5) patches the issue; the fix will be in TensorFlow 2.11 and will be cherry-picked to 2.10.1, 2.9....

CVE-2022-41911 Invalid char to bool conversion when printing a tensor in Tensorflow

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a const char array since that's the underlying storage and then we typecast it to the element type. However, conversions from char to bool are undefined if the char is not 0 or 1, so...

CVE-2022-41900 FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess in Tensorflow

TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMaxAVGPool with illegal poolingratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote...

CVE-2022-41888 Unckecked rank size in `tf.image.generate_bounding_box_proposals` in Tensorflow

TensorFlow is an open source platform for machine learning. When running on GPU, tf.image.generateboundingboxproposals receives a scores input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included i...

CVE-2022-41901 `CHECK_EQ` fail via input in `SparseMatrixNNZ` in Tensorflow

TensorFlow is an open source platform for machine learning. An input sparsematrix that is not a matrix with a shape with rank 0 will trigger a CHECK fail in tf.rawops.SparseMatrixNNZ. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in...

CVE-2022-41899

CVE-2022-41899 — TensorFlow SdcaOptimizer rank check issue . The vulnerability occurs when inputs are not rank-2 and triggers a CHECK failure in SdcaOptimizer, potentially impacting availability. The root cause is a rank validation check in the optimizer. Patch available in GitHub commit 80ff197d...

CVE-2022-41909

CVE-2022-41909 affects TensorFlow: an input encoded that is not a valid CompositeTensorVariant can cause a segfault in tf.raw_ops.CompositeTensorVariantToComponents. Patches are in commits bf594d08d... and 660ce5a89e..., with the fix slated for TensorFlow 2.11 and cherry-picked to 2.10.1, 2.9.3, ...