AVID-2026-R1154

Description

CHECK fail via inputs in PyFunc in Tensorflow (CVE-2022-41908)

Details

TensorFlow is an open source platform for machine learning. An input token that is not a UTF-8 bytestring will trigger a CHECK fail in tf.raw_ops.PyFunc. We have patched the issue in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2022-41908 describes a vulnerability in TensorFlow PyFunc where a non-UTF-8 input triggers a CHECK failure, potentially causing a crash (availability impact). TensorFlow is a core AI framework used in GP AI pipelines, meaning this vulnerability sits in the software stack that builds, trains, deploys, and serves AI systems. The report includes the CVE, affected versions, patch commit, and references, providing sufficient evidence for classification.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/blob/master/tensorflow/python/lib/core/py_func.cc
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mv77-9g28-cwg3
• https://github.com/tensorflow/tensorflow/commit/9f03a9d3bafe902c1e6beb105b2f24172f238645

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-11-18
• Version: 0.3.3
• AVID Entry