CVE-2022-23557

Summary

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would trigger a division by zero in BiasAndClamp implementation. There is no check that the bias_size is non zero. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Affected Software

VendorProductVersion RangeStatus
tensorflowtensorflow>= 2.7.0, < 2.7.1affected
tensorflowtensorflow>= 2.6.0, < 2.6.3affected
tensorflowtensorflow< 2.5.3affected

Weaknesses

  • CWE-369: CWE-369: Divide By Zero

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References