Vulnerability Description
TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from `char` to `bool` are undefined if the `char` is not `0` or `1`, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tensorflow | < 2.8.4 |
Related Weaknesses (CWE)
References
- https://github.com/tensorflow/tensorflow/blob/807cae8a807960fd7ac2313cde73a11fc1PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/1be743703279782a357adbf9b77dcb99PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pf36-r9c6-h97jPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/blob/807cae8a807960fd7ac2313cde73a11fc1PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/1be743703279782a357adbf9b77dcb99PatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pf36-r9c6-h97jPatchThird Party Advisory
FAQ
What is CVE-2022-41911?
CVE-2022-41911 is a vulnerability with a CVSS score of 4.8 (MEDIUM). TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the eleme...
How severe is CVE-2022-41911?
CVE-2022-41911 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-41911?
Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.