AVID-2026-R0941

Description

Division by zero in Tensorflow (CVE-2022-21725)

Details

Tensorflow is an Open Source Machine Learning Framework. The estimator for the cost of some convolution operations can be made to execute a division by 0. The function fails to check that the stride argument is strictly positive. Hence, the fix is to add a check for the stride argument to ensure it is valid. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-21725 describes a vulnerability in TensorFlow (an AI framework) causing a division by zero in an operation’s cost estimator. It affects a core AI software stack used in building/training/deploying general-purpose AI systems, i.e., a software supply-chain component (TensorFlow op-level cost estimation). It has security impact (availability), is AI-related, and there is explicit evidence (CVE entry, CVSS, advisories) supporting it.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v3f7-j968-4h5f
• https://github.com/tensorflow/tensorflow/commit/3218043d6d3a019756607643cf65574fbfef5d7a
• https://github.com/tensorflow/tensorflow/blob/ffa202a17ab7a4a10182b746d230ea66f021fe16/tensorflow/core/grappler/costs/op_level_cost_estimator.cc#L189-L198

Affected or Relevant Artifacts

• Developer: n/a
• Deployer: n/a
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-02-03
• Version: 0.3.3
• AVID Entry