Vulnerability Description
Tensorflow is an Open Source Machine Learning Framework. The implementation of `ThreadPoolHandle` can be used to trigger a denial of service attack by allocating too much memory. This is because the `num_threads` argument is only checked to not be negative, but there is no upper bound on its value. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tensorflow | <= 2.5.2 |
Related Weaknesses (CWE)
References
- https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ExploitThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/e3749a6d5d1e8d11806d4a2e9cc3123dPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c582-c96p-r5cqPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ExploitThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/e3749a6d5d1e8d11806d4a2e9cc3123dPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c582-c96p-r5cqPatchThird Party Advisory
FAQ
What is CVE-2022-21732?
CVE-2022-21732 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Tensorflow is an Open Source Machine Learning Framework. The implementation of `ThreadPoolHandle` can be used to trigger a denial of service attack by allocating too much memory. This is because the `...
How severe is CVE-2022-21732?
CVE-2022-21732 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21732?
Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.