AVID-2026-R0972

Description

Null-dereference in Tensorflow (CVE-2022-23570)

Details

Tensorflow is an Open Source Machine Learning Framework. When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK. However, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the dereferencing of the null pointer, whereas in the second case it results in a crash due to the assertion failure. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.

Reason for inclusion in AVID: The CVE describes a software vulnerability in TensorFlow (an AI framework) involving a null-pointer dereference during protobuf decoding; it affects production deployments and has fixes in updated TensorFlow versions. TensorFlow is a core component used to build/train/deploy AI systems, making this a software supply-chain vulnerability in AI stacks. The report includes explicit CVE details, affected versions, and references.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9p77-mmrw-69c7
• https://github.com/tensorflow/tensorflow/commit/8a513cec4bec15961fbfdedcaa5376522980455c
• https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/full_type_util.cc#L104-L106

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-02-04
• Version: 0.3.3
• AVID Entry