AVID-2026-R1148

Description

CHECK fail via inputs in SparseFillEmptyRowsGrad in Tensorflow (CVE-2022-41898)

Details

TensorFlow is an open source platform for machine learning. If SparseFillEmptyRowsGrad is given empty inputs, TensorFlow will crash. We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: The CVE concerns TensorFlow (an AI framework) with a vulnerability that causes a crash due to improper input handling in SparseFillEmptyRowsGrad. This is a software vulnerability in a component widely used to build/train/deploy AI systems, with a patch available in the TensorFlow repo and CVE/NVD coverage. It directly affects AI software stacks, and thus is relevant to the AI supply chain (dependencies/frameworks) rather than hardware/firmware. The CVSS details indicate an availability impact, supporting a security/safety vuln classification. Sufficient evidence is provided (CVE entry, commit patch, affected versions, and references).

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hq7g-wwwp-q46h
• https://github.com/tensorflow/tensorflow/commit/af4a6a3c8b95022c351edae94560acc61253a1b8
• https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/sparse_fill_empty_rows_op_gpu.cu.cc

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-11-18
• Version: 0.3.3
• AVID Entry