CVE-2022-23578

MEDIUM

Google Tensorflow < 2.5.2 - Memory Leak

Title source: rule

Description

Tensorflow is an Open Source Machine Learning Framework. If a graph node is invalid, TensorFlow can leak memory in the implementation of `ImmutableExecutorState::Initialize`. Here, we set `item->kernel` to `nullptr` but it is a simple `OpKernel*` pointer so the memory that was previously allocated to it would leak. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

References (3)

[Exploit, Third Party Advisory] https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/common_runtime/immutable_executor_state.cc#L84-L262

[Patch, Third Party Advisory] https://github.com/tensorflow/tensorflow/commit/c79ccba517dbb1a0ccb9b01ee3bd2a63748b60dd

View Patch ZIP pw:eip

[Patch, Third Party Advisory] https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8r7c-3cm2-3h8f

Scores

CVSS v3 4.3

EPSS 0.0020

EPSS Percentile 41.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Classification

CWE

CWE-401

Status published

Affected Products (5)

google/tensorflow < 2.5.2

google/tensorflow

pypi/tensorflow < 2.5.3PyPI

pypi/tensorflow-cpu < 2.5.3PyPI

pypi/tensorflow-gpu < 2.5.3PyPI

Timeline

Published Feb 04, 2022

Tracked Since Feb 18, 2026