AVID-2026-R1100

Description

CHECK fail in DrawBoundingBoxes in TensorFlow (CVE-2022-36001)

Details

TensorFlow is an open source platform for machine learning. When DrawBoundingBoxes receives an input boxes that is not of dtype float, it gives a CHECK fail that can trigger a denial of service attack. We have patched the issue in GitHub commit da0d65cdc1270038e72157ba35bf74b85d9bda11. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Reason for inclusion in AVID: CVE-2022-36001 describes a vulnerability in TensorFlow’s DrawBoundingBoxes that can trigger a denial of service when input boxes dtype is not float. TensorFlow is a core AI framework used to develop, train, and deploy AI systems. This is a software vulnerability within an AI software stack, impacting general-purpose AI systems and their pipelines. The report provides explicit vulnerability details, affected versions, a patch commit, and a CVSS scoring signal (I/A impact), meeting evidence requirements.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jqm7-m5q7-3hm5
• https://github.com/tensorflow/tensorflow/commit/da0d65cdc1270038e72157ba35bf74b85d9bda11

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-16
• Version: 0.3.3
• AVID Entry