AVID-2026-R1085

Description

CHECK fail in ParameterizedTruncatedNormal in TensorFlow (CVE-2022-35984)

Details

TensorFlow is an open source platform for machine learning. ParameterizedTruncatedNormal assumes shape is of type int32. A valid shape of type int64 results in a mismatched type CHECK fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 72180be03447a10810edca700cbc9af690dfeb51. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Reason for inclusion in AVID: CVE-2022-35984 affects TensorFlow, a core AI/ML framework. It describes a denial-of-service vulnerability caused by a type-mismatch in ParameterizedTruncatedNormal, with a patch and multiple affected TensorFlow versions. This is a software vulnerability in a component commonly used to build/train/deploy AI systems, i.e., a software supply-chain issue for general-purpose AI stacks.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-p2xf-8hgm-hpw5
• https://github.com/tensorflow/tensorflow/commit/72180be03447a10810edca700cbc9af690dfeb51

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-16
• Version: 0.3.3
• AVID Entry