AVID-2026-R1153

Description

Overflow in ResizeNearestNeighborGrad in Tensorflow (CVE-2022-41907)

Details

TensorFlow is an open source platform for machine learning. When tf.raw_ops.ResizeNearestNeighborGrad is given a large size input, it overflows. We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-41907 describes an overflow in TensorFlow’s ResizeNearestNeighborGrad, a core operation in the TensorFlow AI framework. This is a software vulnerability within a widely-used AI software stack (framework level) that affects model training/inference. It targets a software component used to build/deploy AI systems, with patched versions and references provided. Therefore it is an AI-related vulnerability in the AI software supply chain with sufficient evidence.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-368v-7v32-52fx
• https://github.com/tensorflow/tensorflow/commit/00c821af032ba9e5f5fa3fe14690c8d28a657624
• https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/resize_nearest_neighbor_op.cc

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-11-18
• Version: 0.3.3
• AVID Entry