AVID-2026-R1036

Description

Incomplete validation in signal ops leads to crashes in TensorFlow (CVE-2022-29213)

Details

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the tf.compat.v1.signal.rfft2d and tf.compat.v1.signal.rfft3d lack input validation and under certain condition can result in crashes (due to CHECK-failures). Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Reason for inclusion in AVID: CVE-2022-29213 describes an input validation flaw in TensorFlow signal operations that may cause crashes (potential DoS). It is a vulnerability in a widely used AI software library and affects components used to build/run AI systems, representing a software supply-chain vulnerability in AI stacks.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4
• https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2
• https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1
• https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5889-7v45-q28m
• https://github.com/tensorflow/tensorflow/issues/55263
• https://github.com/tensorflow/tensorflow/pull/55274
• https://github.com/tensorflow/tensorflow/commit/0a8a781e597b18ead006d19b7d23d0a369e9ad73

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-05-20
• Version: 0.3.3
• AVID Entry