AVID-2026-R1137

Description

Overflow in ImageProjectiveTransformV2 in Tensorflow (CVE-2022-41886)

Details

TensorFlow is an open source platform for machine learning. When tf.raw_ops.ImageProjectiveTransformV2 is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-41886 describes a software vulnerability in TensorFlow (ImageProjectiveTransformV2 overflow) that can affect ML pipelines relying on the TensorFlow library. This is a software component used to build/train/deploy AI systems, i.e., a supply-chain dependency. The report provides clear evidence (description, affected versions, and a fix in a GitHub commit) indicating a security impact and remediation. Therefore it qualifies for AVID curation as a software supply-chain vulnerability in general-purpose AI systems.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-54pp-c6pp-7fpx
• https://github.com/tensorflow/tensorflow/commit/8faa6ea692985dbe6ce10e1a3168e0bd60a723ba
• https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/image_ops.cc

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-11-18
• Version: 0.3.3
• AVID Entry