CVE-2022-24294

HIGH

Apache MXNet < 1.9.1 - Denial of Service via Crafted Operator Name

Title source: llm
STIX 2.1

Description

A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1.

References (2)

Core 2
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/07/24/2

Scores

CVSS v3 7.5
EPSS 0.0472
EPSS Percentile 89.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (2)
apache/mxnet < 1.9.1
pypi/mxnet 0 - 1.9.1PyPI
Published Jul 24, 2022
Tracked Since Feb 18, 2026