AVID-2026-R1145

Description

MirrorPadGrad heap out of bounds read in Tensorflow (CVE-2022-41895)

Details

TensorFlow is an open source platform for machine learning. If MirrorPadGrad is given outsize input paddings, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-41895 is a TensorFlow vulnerability (MirrorPadGrad) causing a heap out-of-bounds read in a core ML operation. TensorFlow is a primary AI software framework and its kernels are commonly used in ML pipelines to train, deploy, or serve AI systems. This is a software vulnerability within a component used in general-purpose AI stacks, with a public fix and affected versions documented, making it a valid software supply-chain issue for AI systems.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/mirror_pad_op.cc
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gq2j-cr96-gvqx
• https://github.com/tensorflow/tensorflow/commit/717ca98d8c3bba348ff62281fdf38dcb5ea1ec92

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-11-18
• Version: 0.3.3
• AVID Entry