Home » Database

AVID-2026-R0992

Description

Out of bounds read in Tensorflow (CVE-2022-23592)

Details

Tensorflow is an Open Source Machine Learning Framework. TensorFlow’s type inference can cause a heap out of bounds read as the bounds checking is done in a DCHECK (which is a no-op during production). An attacker can control the input_idx variable such that ix would be larger than the number of values in node_t.args. The fix will be included in TensorFlow 2.8.0. This is the only affected version.

Reason for inclusion in AVID: The CVE describes a heap/out-of-bounds read vulnerability in TensorFlow’s type inference, affecting an AI framework used to build/train/deploy AI systems. It is a software vulnerability in a core AI supply-chain component (TensorFlow), not hardware/firmware. The report provides affected versions and remediation, indicating an exploitable security flaw relevant to AI pipelines.

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Base Score8.1
Base Severity🔴 High
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges Required🟢 Low
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity ImpactNONE
Availability Impact🔴 High

CWE

IDDescription
CWE-125CWE-125: Out-of-bounds Read

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2022-02-04
  • Version: 0.3.3
  • AVID Entry