AVID-2026-R1095

Description

Floating point exception in Conv2D in TensorFlow (CVE-2022-35996)

Details

TensorFlow is an open source platform for machine learning. If Conv2D is given empty input and the filter and padding sizes are valid, the output is all-zeros. This causes division-by-zero floating point exceptions that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 611d80db29dd7b0cfb755772c69d60ae5bca05f9. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Reason for inclusion in AVID: This CVE describes a vulnerability in TensorFlow (an AI framework) that can cause a denial-of-service via a floating-point exception in Conv2D. TensorFlow is a core component used to build, train, deploy, and run general-purpose AI systems, so the issue exists in a software supply chain component (the ML framework). It is a clear security vulnerability with published fixes and affected versions, and the report provides explicit remediation details (commit and patch timeline), establishing sufficient evidence for AVID curation.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q5jv-m6qw-5g37
• https://github.com/tensorflow/tensorflow/commit/611d80db29dd7b0cfb755772c69d60ae5bca05f9

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-16
• Version: 0.3.3
• AVID Entry