Home » Database

AVID-2026-R1245

Description

TensorFlow segfault in array_ops.upper_bound (CVE-2023-33976)

Details

TensorFlow is an end-to-end open source platform for machine learning. array_ops.upper_bound causes a segfault when not given a rank 2 tensor. The fix will be included in TensorFlow 2.13 and will also cherrypick this commit on TensorFlow 2.12.

Reason for inclusion in AVID: CVE-2023-33976 describes a TensorFlow vulnerability (segfault in array_ops.upper_bound) within a software library widely used in AI models and pipelines. It affects the software stack relied upon to build/train/deploy AI systems, thus a software supply-chain issue in general-purpose AI systems. The CVE indicates a security-related vulnerability with a high impact on availability, and the report provides sufficient signals (CVE ID, affected component, impact, and references).

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score7.5
Base Severity🔴 High
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🔴 High

CWE

IDDescription
CWE-190CWE-190: Integer Overflow or Wraparound

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-07-30
  • Version: 0.3.3
  • AVID Entry