AVID-2026-R0952

Description

Integer overflow leading to crash in Tensorflow (CVE-2022-21738)

Details

Tensorflow is an Open Source Machine Learning Framework. The implementation of SparseCountSparseOutput can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-21738 describes an integer overflow in TensorFlow’s SparseCountSparseOutput that can crash the process, leading to availability impact. TensorFlow is a core AI framework used to train and run general-purpose AI systems, so this is a software supply-chain component vulnerability affecting AI stacks. The CVE includes details and references, and a fix was released, indicating a genuine security/safety vulnerability with clear AI/ML relevance. Therefore it should be kept for AVID curation.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/count_ops.cc#L168-L273
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-x4qx-4fjv-hmw6
• https://github.com/tensorflow/tensorflow/commit/6f4d3e8139ec724dbbcb40505891c81dd1052c4a

Affected or Relevant Artifacts

• Developer: n/a
• Deployer: n/a
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-02-03
• Version: 0.3.3
• AVID Entry