Home » Database

AVID-2026-R0979

Description

Null-dereference in Tensorflow (CVE-2022-23577)

Details

Tensorflow is an Open Source Machine Learning Framework. The implementation of GetInitOp is vulnerable to a crash caused by dereferencing a null pointer. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-23577 describes a null pointer dereference in TensorFlow, a widely-used AI framework. It affects software used to build/train/serve AI systems (dependency in ML pipelines). It is a security/safety vulnerability with availability impact (crash). Evidence is provided (CVE entry, advisory, commit). Therefore it should be kept for AVID curation as a software supply-chain vulnerability in general-purpose AI systems.

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score6.5
Base Severity🟠 Medium
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges Required🟢 Low
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🔴 High

CWE

IDDescription
CWE-476CWE-476: NULL Pointer Dereference

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2022-02-04
  • Version: 0.3.3
  • AVID Entry