AVID-2026-R1109

Description

Integer overflow in math ops in TensorFlow (CVE-2022-36015)

Details

TensorFlow is an open source platform for machine learning. When RangeSize receives values that do not fit into an int64_t, it crashes. We have patched the issue in GitHub commit 37e64539cd29fcfb814c4451152a60f5d107b0f0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Reason for inclusion in AVID: CVE-2022-36015 describes an integer overflow in TensorFlow math operations, a software vulnerability in a widely-used AI framework. It affects the AI software stack (TensorFlow), thus relevant to the general-purpose AI supply chain. It is a CVE with potential security impact (crash/DoS), and the report provides explicit details and references (commit, advisories).

References

• NVD entry
• https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/math_ops.cc
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rh87-q4vg-m45j
• https://github.com/tensorflow/tensorflow/commit/37e64539cd29fcfb814c4451152a60f5d107b0f0

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-16
• Version: 0.3.3
• AVID Entry