AVID-2026-R0966

Description

Integer overflow in Tensorflow (CVE-2022-23562)

Details

Tensorflow is an Open Source Machine Learning Framework. The implementation of Range suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-23562 describes an integer overflow in TensorFlow’s Range implementation. TensorFlow is a core AI framework, so this vulnerability concerns AI/ML systems and their tooling. It affects a component used in building, training, and deploying general-purpose AI systems, representing a software supply-chain risk within AI stacks. The advisory provides concrete vulnerability details and references (CVSS data, fix notes), indicating a real security flaw with actionable remediation; thus the evidence is sufficient to classify.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/pull/51733
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qx3f-p745-w4hr
• https://github.com/tensorflow/tensorflow/issues/52676
• https://github.com/tensorflow/tensorflow/commit/f0147751fd5d2ff23251149ebad9af9f03010732

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-02-04
• Version: 0.3.3
• AVID Entry