CVE-2022-36011

NULL Pointer Dereference in pypi/tensorflow-cpu

Identifiers

GHSA-fv43-93gv-vm8f, CVE-2022-36011

Package Slug

pypi/tensorflow-cpu

Vulnerability

NULL Pointer Dereference

Description

TensorFlow is an open source platform for machine learning. When mlir::tfg::ConvertGenericFunctionToFunctionDef is given empty function attributes, it gives a null dereference. We have patched the issue in GitHub commit 1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

Affected Versions

All versions before 2.7.2, all versions starting from 2.8.0 before 2.8.1, all versions starting from 2.9.0 before 2.9.1

Solution

Upgrade to versions 2.7.2, 2.8.1, 2.9.1 or above.

Last Modified

2022-09-19

source