AVID-2026-R1082

Description

CHECK fail in FractionalMaxPoolGrad in TensorFlow (CVE-2022-35981)

Details

TensorFlow is an open source platform for machine learning. FractionalMaxPoolGrad validates its inputs with CHECK failures instead of with returning errors. If it gets incorrectly sized inputs, the CHECK failure can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 8741e57d163a079db05a7107a7609af70931def4. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Reason for inclusion in AVID: CVE-2022-35981 describes a software vulnerability in TensorFlow (FractionalMaxPoolGrad) that can trigger a denial of service via incorrect input validation. TensorFlow is a core AI/ML framework; this affects software components used to build/train/deploy AI systems. A fix is available in a Git commit and will be included in released TensorFlow versions, with additional cherry-picks for affected versions. This is clearly a software supply-chain-relevant vulnerability for general-purpose AI systems and is not hardware/firmware-only.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vxv8-r8q2-63xw
• https://github.com/tensorflow/tensorflow/commit/8741e57d163a079db05a7107a7609af70931def4

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-16
• Version: 0.3.3
• AVID Entry