AVID-2026-R0954

Description

Heap overflow in Tensorflow (CVE-2022-21740)

Details

Tensorflow is an Open Source Machine Learning Framework. The implementation of SparseCountSparseOutput is vulnerable to a heap overflow. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-21740 describes a heap overflow in TensorFlow’s SparseCountSparseOutput, a vulnerability in a widely used AI framework. TensorFlow is a software component used to build, train, deploy, and run general-purpose AI systems, so this is a software supply-chain-relevant issue within AI stacks. The CVE entry includes impact details, affected versions, and references (advisories, commits, and code location), indicating a security vulnerability with potential RCE/impact characteristics as per CVSS data provided.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-44qp-9wwf-734r
• https://github.com/tensorflow/tensorflow/commit/2b7100d6cdff36aa21010a82269bc05a6d1cc74a
• https://github.com/tensorflow/tensorflow/commit/adbbabdb0d3abb3cdeac69e38a96de1d678b24b3
• https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/count_ops.cc#L168-L273

Affected or Relevant Artifacts

• Developer: n/a
• Deployer: n/a
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-02-03
• Version: 0.3.3
• AVID Entry