Home » Database

AVID-2026-R1143

Description

CHECK_EQ fail in tf.raw_ops.TensorListResize in Tensorflow (CVE-2022-41893)

Details

TensorFlow is an open source platform for machine learning. If tf.raw_ops.TensorListResize is given a nonscalar value for input size, it results CHECK fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: The candidate describes CVE-2022-41893, a vulnerability in TensorFlow (an AI framework) where a CHECK failure in TensorListResize can lead to denial of service. This directly concerns AI/ML software stacks and is in the software supply chain (TensorFlow dependency used to build/train/deploy AI systems). It is a security vulnerability with a confirmed patch in a public commit and advisory, providing sufficient evidence for inclusion.

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
Base Score4.8
Base Severity🟠 Medium
Attack VectorNETWORK
Attack Complexity🔴 High
Privileges Required🟢 Low
User InteractionREQUIRED
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🔴 High

CWE

IDDescription
CWE-617CWE-617: Reachable Assertion

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2022-11-18
  • Version: 0.3.3
  • AVID Entry