AVID-2026-R1101

Description

CHECK fail in Unbatch in TensorFlow (CVE-2022-36002)

Details

TensorFlow is an open source platform for machine learning. When Unbatch receives a nonscalar input id, it gives a CHECK fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 4419d10d576adefa36b0e0a9425d2569f7c0189f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Reason for inclusion in AVID: The CVE describes a vulnerability in TensorFlow, a core ML framework, where Unbatch can trigger a denial-of-service via a nonscalar input. This is a software component used to build and run AI systems, constituting a software supply-chain issue in AI stacks. The issue is a security vulnerability with a patch and affected versions, supported by references. Therefore it meets all criteria for AVID curation.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mh3m-62v7-68xg
• https://github.com/tensorflow/tensorflow/commit/4419d10d576adefa36b0e0a9425d2569f7c0189f

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-16
• Version: 0.3.3
• AVID Entry