We use cookies to improve your experience on our site.
AVID-2026-R1213
Description
TensorFlow has double free in Fractional(Max/Avg)Pool (CVE-2023-25801)
Details
TensorFlow is an open source machine learning platform. Prior to versions 2.12.0 and 2.11.1, nn_ops.fractional_avg_pool_v2 and nn_ops.fractional_max_pool_v2 require the first and fourth elements of their parameter pooling_ratio to be equal to 1.0, as pooling on batch and channel dimensions is not supported. A fix is included in TensorFlow 2.12.0 and 2.11.1.
Reason for inclusion in AVID: Vulnerability in TensorFlow (an AI framework) with CVE-2023-25801; a software issue in a core component used to build/train/deploy AI systems. It is a software supply-chain relevant vulnerability (not hardware/firmware-only) with explicit affected versions and references, and is security/safety-related (double free). Sufficient evidence is provided in the CVE entry and references.
References
- NVD entry
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f49c-87jh-g47q
- https://github.com/tensorflow/tensorflow/commit/ee50d1e00f81f62a4517453f721c634bbb478307
Affected or Relevant Artifacts
- Developer: tensorflow
- Deployer: tensorflow
- Artifact Details:
| Type | Name |
|---|---|
| System | tensorflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |
| Base Score | 8.0 |
| Base Severity | 🔴 High |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🟢 Low |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-415 | CWE-415: Double Free |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-03-24
- Version: 0.3.3
- AVID Entry