Vulnerability Description
TensorFlow is an open source platform for machine learning. The `AvgPoolOp` function takes an argument `ksize` that must be positive but is not checked. A negative `ksize` can trigger a `CHECK` failure and crash the program. We have patched the issue in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds to this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tensorflow | >= 2.7.0, < 2.7.2 |
Related Weaknesses (CWE)
References
- https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5Third Party Advisory
- https://github.com/tensorflow/tensorflow/commit/3a6ac52664c6c095aa2b114e742b0aa1PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mgmh-g2v6-mqw5PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5Third Party Advisory
- https://github.com/tensorflow/tensorflow/commit/3a6ac52664c6c095aa2b114e742b0aa1PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mgmh-g2v6-mqw5PatchThird Party Advisory
FAQ
What is CVE-2022-35941?
CVE-2022-35941 is a vulnerability with a CVSS score of 5.9 (MEDIUM). TensorFlow is an open source platform for machine learning. The `AvgPoolOp` function takes an argument `ksize` that must be positive but is not checked. A negative `ksize` can trigger a `CHECK` failur...
How severe is CVE-2022-35941?
CVE-2022-35941 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-35941?
Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.