CVE-2022-21738
Integer overflow leading to crash in Tensorflow
6.5
MEDIUM
CVSS 3.1
EPSS 0.22%
Description
Tensorflow is an Open Source Machine Learning Framework. The implementation of `SparseCountSparseOutput` can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
How to fix CVE-2022-21738
To remediate CVE-2022-21738, upgrade the affected package to a fixed version below.
- —upgrade to 2.5.3 or later
- —upgrade to 2.5.3 or later
- —upgrade to 2.5.3 or later
- —upgrade to 6f4d3e8139ec724dbbcb40505891c81dd1052c4a or later
- —upgrade to 2.5.3 or later
- —upgrade to 6f4d3e8139ec724dbbcb40505891c81dd1052c4a or later
Is CVE-2022-21738 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 2.5.3, >= 2.6.0, < 2.6.3, >= 2.7.0, < 2.7.1
- from 0, < 2.5.3
- from 0, < 2.5.3
- from 0, < 6f4d3e8139ec724dbbcb40505891c81dd1052c4a | from 0, < 2.5.3, >= 2.6.0, < 2.6.3
- from 0, < 2.5.3
- from 0, < 6f4d3e8139ec724dbbcb40505891c81dd1052c4a | from 0, < 2.5.3, >= 2.6.0, < 2.6.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |