Home » Database

AVID-2026-R1151

Description

CHECK_EQ fail via input in SparseMatrixNNZ in Tensorflow (CVE-2022-41901)

Details

TensorFlow is an open source platform for machine learning. An input sparse_matrix that is not a matrix with a shape with rank 0 will trigger a CHECK fail in tf.raw_ops.SparseMatrixNNZ. We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-41901 pertains to TensorFlow, a core AI framework. It describes a software vulnerability (improper input validation) that can cause a crash/DoS via crafted input in a widely used AI software stack. This directly affects AI models/frameworks and is in the software supply chain used to build/train/deploy AI systems. The report provides explicit CVE details, impact, and a patch reference, giving sufficient evidence.

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
Base Score4.8
Base Severity🟠 Medium
Attack VectorNETWORK
Attack Complexity🔴 High
Privileges Required🟢 Low
User InteractionREQUIRED
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🔴 High

CWE

IDDescription
CWE-20CWE-20: Improper Input Validation

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2022-11-18
  • Version: 0.3.3
  • AVID Entry