AVID-2026-R1225

Description

TensorFlow has Floating Point Exception in TFLite in conv kernel (CVE-2023-27579)

Details

TensorFlow is an end-to-end open source platform for machine learning. Constructing a tflite model with a paramater filter_input_channel of less than 1 gives a FPE. This issue has been patched in version 2.12. TensorFlow will also cherrypick the fix commit on TensorFlow 2.11.1.

Reason for inclusion in AVID: CVE-2023-27579 describes a software vulnerability in TensorFlow’s TFLite convolution kernel causing a floating point exception when a parameter is invalid (filter_input_channel < 1). This directly affects the AI software stack and is a vulnerability within a widely used ML framework, impacting systems that build/train/deploy general-purpose AI. It is a software supply-chain issue since TensorFlow is a dependency/framework used in AI pipelines. The CVE reports a security/safety vulnerability with potential availability impact, and a patch is provided (version 2.12) with a referenced commit. The report cites NVD/NVD entry and GHSA advisory, providing sufficient evidence.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5w96-866f-6rm8
• https://github.com/tensorflow/tensorflow/commit/34f8368c535253f5c9cb3a303297743b62442aaa

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2023-03-24
• Version: 0.3.3
• AVID Entry