We use cookies to improve your experience on our site.
AVID-2026-R0998
Description
ReDoS in Apache MXNet RTC Module (CVE-2022-24294)
Details
A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1.
Reason for inclusion in AVID: CVE-2022-24294 describes a denial-of-service vulnerability in Apache MXNet’s RTC module caused by a crafted model load operation (excessive resource consumption due to a regular expression). This affects the MXNet framework, a core AI software component used to build/train/deploy ML models, making it a software supply-chain issue within AI stacks. It is a security vulnerability (DoS) with explicit impact details and affected versions.
References
- NVD entry
- https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o
- http://www.openwall.com/lists/oss-security/2022/07/24/2
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache MXNet |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-400 | CWE-400 Uncontrolled Resource Consumption |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-07-24
- Version: 0.3.3
- AVID Entry