CVE-2022-41886

TensorFlow is an open source platform for machine learning. When tf.raw_ops.ImageProjectiveTransformV2 is given a large output shape, it overflows. We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

Published: Nov 18, 2022
Updated: May 10, 2024
CVE: CVE-2022-41886
GHSA: GHSA-54pp-c6pp-7fpx
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-131

Affected Software
References

Software	From	Fixed in
google / tensorflow	2.10.0	2.10.0.x
google / tensorflow	2.9.0	2.9.3
google / tensorflow	-	2.8.4
tensorflow	-	2.8.4
tensorflow	2.9.0	2.9.3
tensorflow	2.10.0	2.10.1
tensorflow-cpu	-	2.8.4
tensorflow-gpu	-	2.8.4
tensorflow-cpu	2.9.0	2.9.3
tensorflow-gpu	2.9.0	2.9.3
tensorflow-cpu	2.10.0	2.10.1
tensorflow-gpu	2.10.0	2.10.1

https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/image_ops.cc
https://github.com/tensorflow/tensorflow/commit/8faa6ea692985dbe6ce10e1a3168e0bd60a723ba
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-54pp-c6pp-7fpx

Vulnerability Database

289,697

CVE-2022-41886