CVE-2022-41911

MEDIUM

TensorFlow - Info Disclosure

Title source: llm

Description

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a `const char*` array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from `char` to `bool` are undefined if the `char` is not `0` or `1`, so sanitizers/fuzzers will crash. The issue has been patched in GitHub commit `1be74370327`. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

References (3)

[Patch, Third Party Advisory] https://github.com/tensorflow/tensorflow/blob/807cae8a807960fd7ac2313cde73a11fc15e7942/tensorflow/core/framework/tensor.cc#L1200-L1227

[Patch, Third Party Advisory] https://github.com/tensorflow/tensorflow/commit/1be743703279782a357adbf9b77dcb994fe8b508

View Patch ZIP pw:eip

[Patch, Third Party Advisory] https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pf36-r9c6-h97j

Scores

CVSS v3 4.8

EPSS 0.0015

EPSS Percentile 35.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-704

Status published

Products (5)

google/tensorflow 2.10.0

google/tensorflow < 2.8.4

pypi/tensorflow 0 - 2.8.4PyPI

pypi/tensorflow-cpu 2.9.0 - 2.9.3PyPI

pypi/tensorflow-gpu 2.10.0 - 2.10.1PyPI

Published Nov 18, 2022

Tracked Since Feb 18, 2026