We use cookies to improve your experience on our site.
AVID-2026-R0974
Description
Crash when type cannot be specialized in Tensorflow (CVE-2022-23572)
Details
Tensorflow is an Open Source Machine Learning Framework. Under certain scenarios, TensorFlow can fail to specialize a type during shape inference. This case is covered by the DCHECK function however, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the ValueOrDie line. This results in an assertion failure as ret contains an error Status, not a value. In the second case we also get a crash due to the assertion failure. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.
Reason for inclusion in AVID: The CVE describes a vulnerability in TensorFlow (an ML framework) where shape inference can crash under certain conditions, leading to an assertion crash or crash in production when encountering bad types. This is a software vulnerability in a dependency commonly used to build/run AI systems, making it relevant to AI pipelines and general-purpose AI stacks. The issue affects software components (TensorFlow) used in model training/inference and deployment, i.e., a software supply-chain item. It is categorized as a security/safety vulnerability with impact on availability (crash/DoS) and has explicit references and fixes, providing sufficient evidence for curation.
References
- NVD entry
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rww7-2gpw-fv6j
- https://github.com/tensorflow/tensorflow/commit/cb164786dc891ea11d3a900e90367c339305dc7b
- https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/shape_inference.cc#L168-L174
Affected or Relevant Artifacts
- Developer: tensorflow
- Deployer: tensorflow
- Artifact Details:
| Type | Name |
|---|---|
| System | tensorflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Base Score | 6.5 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-754 | CWE-754: Improper Check for Unusual or Exceptional Conditions |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-02-04
- Version: 0.3.3
- AVID Entry