AVID-2026-R1071

Description

Segfault in BlockLSTMGradV2 in TensorFlow (CVE-2022-35964)

Details

TensorFlow is an open source platform for machine learning. The implementation of BlockLSTMGradV2 does not fully validate its inputs. This results in a a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 2a458fc4866505be27c62f81474ecb2b870498fa. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Reason for inclusion in AVID: The report documents a software vulnerability in TensorFlow (BlockLSTMGradV2) caused by improper input validation, leading to a denial-of-service via segfault. TensorFlow is a core AI framework widely used to build, train, and deploy general-purpose AI systems, so this is a software supply-chain-relevant vulnerability affecting AI stacks. The issue has CVE coverage, a patched commit, and explicit security impact, meeting AVID criteria for inclusion.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f7r5-q7cx-h668
• https://github.com/tensorflow/tensorflow/commit/2a458fc4866505be27c62f81474ecb2b870498fa

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-16
• Version: 0.3.3
• AVID Entry