AVID-2026-R1075

Description

CHECK fail in AvgPoolGrad in TensorFlow (CVE-2022-35968)

Details

TensorFlow is an open source platform for machine learning. The implementation of AvgPoolGrad does not fully validate the input orig_input_shape. This results in a CHECK failure which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Reason for inclusion in AVID: CVE-2022-35968 describes a software vulnerability in TensorFlow (AvgPoolGrad input validation leading to a denial of service). This is a software supply-chain issue in a core ML framework used to build/train/deploy AI systems, and it has explicit vulnerability characteristics (denial of service). The report provides evidence (commit patch, CVSS data, affected versions) to support classification.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/commit/3a6ac52664c6c095aa2b114e742b0aa17fdce78f
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2475-53vw-vp25

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-16
• Version: 0.3.3
• AVID Entry