CVE-2022-36026

TensorFlow is an open source platform for machine learning. If `QuantizeAndDequantizeV3` is given a nonscalar `num_bits` input tensor, it results in a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit f3f9cb38ecfe5a8a703f2c4a8fead434ef291713. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc0:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc1:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc2:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc3:*:*:*:*:*:*

History

20 Sep 2022, 14:55

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Google tensorflow
Google
CPE cpe:2.3:a:google:tensorflow:2.10:rc1:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc2:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc3:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
cpe:2.3:a:google:tensorflow:2.10:rc0:*:*:*:*:*:*
References (CONFIRM) https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9cr2-8pwr-fhfq - (CONFIRM) https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9cr2-8pwr-fhfq - Third Party Advisory
References (MISC) https://github.com/tensorflow/tensorflow/commit/f3f9cb38ecfe5a8a703f2c4a8fead434ef291713 - (MISC) https://github.com/tensorflow/tensorflow/commit/f3f9cb38ecfe5a8a703f2c4a8fead434ef291713 - Patch, Third Party Advisory

16 Sep 2022, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-09-16 22:15

Updated : 2023-12-10 14:35


NVD link : CVE-2022-36026

Mitre link : CVE-2022-36026

CVE.ORG link : CVE-2022-36026


JSON object : View

Products Affected

google

  • tensorflow
CWE
CWE-617

Reachable Assertion