AVID-2026-R0975

Description

Uninitialized variable access in Tensorflow (CVE-2022-23573)

Details

Tensorflow is an Open Source Machine Learning Framework. The implementation of AssignOp can result in copying uninitialized data to a new tensor. This later results in undefined behavior. The implementation has a check that the left hand side of the assignment is initialized (to minimize number of allocations), but does not check that the right hand side is also initialized. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Reason for inclusion in AVID: The candidate describes CVE-2022-23573 a vulnerability in TensorFlow (uninitialized variable access in AssignOp) with regulatory details, affected versions, and a fix. TensorFlow is a core AI framework, and this vulnerability affects software components used to build/train/deploy AI systems, i.e., the AI software supply chain. It is a security vulnerability (uninitialized data could cause undefined behavior; CVSS base 7.6). The report provides explicit evidence (CVE entry, commit, and advisory links).

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q85f-69q7-55h2
• https://github.com/tensorflow/tensorflow/commit/ef1d027be116f25e25bb94a60da491c2cf55bd0b
• https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/assign_op.h#L30-L143

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-02-04
• Version: 0.3.3
• AVID Entry