AVID-2026-R0995

Description

Null pointer dereference in TensorFlow (CVE-2022-23595)

Details

Tensorflow is an Open Source Machine Learning Framework. When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference. In the default scenario, all devices are allowed, so flr->config_proto is nullptr. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-23595 describes a null pointer dereference in TensorFlow during XLA cache construction, a software vulnerability in a core AI framework. TensorFlow is a key component in AI software stacks, so this affects the AI software supply chain (dependencies/frameworks used to build/train/deploy AI systems). The report provides CVE details, affected versions, and references, supporting evidence for a security vulnerability in the AI pipeline.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fpcp-9h7m-ffpx
• https://github.com/tensorflow/tensorflow/commit/e21af685e1828f7ca65038307df5cc06de4479e8
• https://github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/compiler/jit/xla_platform_info.cc#L43-L104

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-02-04
• Version: 0.3.3
• AVID Entry