Description
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, multiple TensorFlow operations misbehave in eager mode when the resource handle provided to them is invalid. In graph mode, it would have been impossible to perform these API calls, but migration to TF 2.x eager mode opened up this vulnerability. If the resource handle is empty, then a reference is bound to a null pointer inside TensorFlow codebase (various codepaths). This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
References (7)
Core 7
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5wpj-c6f7-24x8
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/commit/a5b89cd68c02329d793356bda85d079e9e69b4e7
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/commit/dbdd98c37bc25249e8f288bd30d01e118a7b4498
Scores
CVSS v3
5.5
EPSS
0.0006
EPSS Percentile
17.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
CWE-475
Status
published
Products (7)
google/tensorflow
2.7.0 rc0 (2 CPE variants)
google/tensorflow
2.8.0 (3 CPE variants)
google/tensorflow
2.9.0 rc0 (2 CPE variants)
google/tensorflow
< 2.6.4
pypi/tensorflow
0 - 2.6.4PyPI
pypi/tensorflow-cpu
0 - 2.6.4PyPI
pypi/tensorflow-gpu
0 - 2.6.4PyPI
Published
May 20, 2022
Tracked Since
Feb 18, 2026