AVID-2026-R1060

Description

CHECK failure in tf.reshape in Tensorflow (CVE-2022-35934)

Details

TensorFlow is an open source platform for machine learning. The implementation of tf.reshape op in TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by overflowing the number of elements in a tensor. This issue has been patched in GitHub commit 61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Reason for inclusion in AVID: CVE-2022-35934 describes a denial-of-service via a CHECK assertion in TensorFlow’s tf.reshape, a vulnerability in a core ML framework used to build/train/deploy AI systems. TensorFlow is a primary software component in GP AI pipelines, so this is a software supply-chain issue affecting AI software stacks. The advisory and patch information provide clear signals of vulnerability and remediation.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f4w6-h4f5-wx45
• https://github.com/tensorflow/tensorflow/commit/61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-16
• Version: 0.3.3
• AVID Entry