CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41890 – `CHECK` fail in `BCast` overflow in Tensorflow
https://notcve.org/view.php?id=CVE-2022-41890
18 Nov 2022 — TensorFlow is an open source platform for machine learning. If `BCast::ToShape` is given input larger than an `int32`, it will crash, despite being supposed to handle up to an `int64`. An example can be seen in `tf.experimental.numpy.outer` by passing in large input to the input `b`. We have patched the issue in GitHub commit 8310bf8dd188ff780e7fc53245058215a05bdbe5. The fix will be included in TensorFlow 2.11. • https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/util/bcast.h • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 10.0EPSS: 1%CPEs: 3EXPL: 1CVE-2022-41900 – FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess in Tensorflow
https://notcve.org/view.php?id=CVE-2022-41900
18 Nov 2022 — TensorFlow is an open source platform for machine learning. The security vulnerability results in FractionalMax(AVG)Pool with illegal pooling_ratio. Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or remote code execution. We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. • https://github.com/tensorflow/tensorflow/commit/216525144ee7c910296f5b05d214ca1327c9ce48 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41901 – `CHECK_EQ` fail via input in `SparseMatrixNNZ` in Tensorflow
https://notcve.org/view.php?id=CVE-2022-41901
18 Nov 2022 — TensorFlow is an open source platform for machine learning. An input `sparse_matrix` that is not a matrix with a shape with rank 0 will trigger a `CHECK` fail in `tf.raw_ops.SparseMatrixNNZ`. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/sparse/sparse_matrix.h • CWE-20: Improper Input Validation CWE-617: Reachable Assertion •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 1CVE-2022-41885 – Overflow in `FusedResizeAndPadConv2D` in Tensorflow
https://notcve.org/view.php?id=CVE-2022-41885
18 Nov 2022 — TensorFlow is an open source platform for machine learning. When `tf.raw_ops.FusedResizeAndPadConv2D` is given a large tensor shape, it overflows. We have patched the issue in GitHub commit d66e1d568275e6a2947de97dca7a102a211e01ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/conv_ops_fused_image_transform.cc • CWE-131: Incorrect Calculation of Buffer Size •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41886 – Overflow in `ImageProjectiveTransformV2` in Tensorflow
https://notcve.org/view.php?id=CVE-2022-41886
18 Nov 2022 — TensorFlow is an open source platform for machine learning. When `tf.raw_ops.ImageProjectiveTransformV2` is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/image_ops.cc • CWE-131: Incorrect Calculation of Buffer Size •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41896 – `tf.raw_ops.Mfcc` crashes in Tensorflow
https://notcve.org/view.php?id=CVE-2022-41896
18 Nov 2022 — TensorFlow is an open source platform for machine learning. If `ThreadUnsafeUnigramCandidateSampler` is given input `filterbank_channel_count` greater than the allowed max size, TensorFlow will crash. We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/mirror_pad_op.cc • CWE-20: Improper Input Validation CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41908 – `CHECK` fail via inputs in `PyFunc` in Tensorflow
https://notcve.org/view.php?id=CVE-2022-41908
18 Nov 2022 — TensorFlow is an open source platform for machine learning. An input `token` that is not a UTF-8 bytestring will trigger a `CHECK` fail in `tf.raw_ops.PyFunc`. We have patched the issue in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/master/tensorflow/python/lib/core/py_func.cc • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41894 – Buffer overflow in `CONV_3D_TRANSPOSE` on TFLite
https://notcve.org/view.php?id=CVE-2022-41894
18 Nov 2022 — TensorFlow is an open source platform for machine learning. The reference kernel of the `CONV_3D_TRANSPOSE` TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result. Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels. An attacker can craft a model with... • https://github.com/tensorflow/tensorflow/blob/091e63f0ea33def7ecad661a5ac01dcafbafa90b/tensorflow/lite/kernels/internal/reference/conv3d_transpose.h#L121 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.4EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41880 – ThreadUnsafeUnigramCandidateSampler Heap out of bounds in Tensorflow
https://notcve.org/view.php?id=CVE-2022-41880
18 Nov 2022 — TensorFlow is an open source platform for machine learning. When the `BaseCandidateSamplerOp` function receives a value in `true_classes` larger than `range_max`, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/candidate_sampler_ops.cc • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-41911 – Invalid char to bool conversion when printing a tensor in Tensorflow
https://notcve.org/view.php?id=CVE-2022-41911
18 Nov 2022 — TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from `char` to `bool` are undefined if the `char` is not `0` or `1`, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0. • https://github.com/tensorflow/tensorflow/blob/807cae8a807960fd7ac2313cde73a11fc15e7942/tensorflow/core/framework/tensor.cc#L1200-L1227 • CWE-704: Incorrect Type Conversion or Cast •