CVE-2022-23559

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations. Both embedding_size and lookup_size are products of values provided by the user. Hence, a malicious user could trigger overflows in the multiplication. In certain scenarios, this can then result in heap OOB read/write. Users are advised to upgrade to a patched version.

Published: Feb 5, 2022
Updated: May 9, 2024
CVE: CVE-2022-23559
GHSA: GHSA-98p5-x8x4-c9m5
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-190

Affected Software
References

Software	From	Fixed in
google / tensorflow	2.7.0	2.7.0.x
google / tensorflow	-	2.5.2.x
google / tensorflow	2.6.0	2.6.2.x
tensorflow	-	2.5.3
tensorflow	2.6.0	2.6.3
tensorflow	2.7.0	2.7.0.x
tensorflow	2.7.0	2.7.1
tensorflow-cpu	-	2.5.3
tensorflow-cpu	2.6.0	2.6.3
tensorflow-cpu	2.7.0	2.7.0.x
tensorflow-cpu	2.7.0	2.7.1
tensorflow-gpu	-	2.5.3
tensorflow-gpu	2.6.0	2.6.3
tensorflow-gpu	2.7.0	2.7.0.x
tensorflow-gpu	2.7.0	2.7.1

Vulnerability Database

289,697

CVE-2022-23559