AVID-2026-R1139

Description

Unckecked rank size in tf.image.generate_bounding_box_proposals in Tensorflow (CVE-2022-41888)

Details

TensorFlow is an open source platform for machine learning. When running on GPU, tf.image.generate_bounding_box_proposals receives a scores input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-41888 describes an input validation vulnerability in TensorFlow (tf.image.generate_bounding_box_proposals) within a core AI framework. It is a software vulnerability in a widely used AI software stack component, affecting AI pipelines (training/deployment) and is within the software supply chain. The issue is software-based, relates to availability (possible crash/DoS) and has a published patch. Evidence is provided by the CVE entry and accompanying advisories.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6x99-gv2v-q76v
• https://github.com/tensorflow/tensorflow/commit/cf35502463a88ca7185a99daa7031df60b3c1c98
• https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/generate_box_proposals_op.cu.cc

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-11-18
• Version: 0.3.3
• AVID Entry