CVE-2022-21732
Memory exhaustion in Tensorflow
4.3
MEDIUM
CVSS 3.1
EPSS 0.22%
Description
Tensorflow is an Open Source Machine Learning Framework. The implementation of `ThreadPoolHandle` can be used to trigger a denial of service attack by allocating too much memory. This is because the `num_threads` argument is only checked to not be negative, but there is no upper bound on its value. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
How to fix CVE-2022-21732
To remediate CVE-2022-21732, upgrade the affected package to a fixed version below.
- —upgrade to 2.5.3 or later
- —upgrade to 2.5.3 or later
- —upgrade to 2.5.3 or later
- —upgrade to e3749a6d5d1e8d11806d4a2e9cc3123d1a90b75e or later
- —upgrade to 2.5.3 or later
- —upgrade to e3749a6d5d1e8d11806d4a2e9cc3123d1a90b75e or later
Is CVE-2022-21732 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 2.5.3, >= 2.6.0, < 2.6.3, >= 2.7.0, < 2.7.1
- from 0, < 2.5.3
- from 0, < 2.5.3
- from 0, < e3749a6d5d1e8d11806d4a2e9cc3123d1a90b75e | from 0, < 2.5.3, >= 2.6.0, < 2.6.3
- from 0, < 2.5.3
- from 0, < e3749a6d5d1e8d11806d4a2e9cc3123d1a90b75e | from 0, < 2.5.3, >= 2.6.0, < 2.6.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |