CVE-2022-35941

HIGH Year: 2022
CVSS v3 Score
7.5
High
Weakness Type
CWE-617
View all →

Vulnerability Description

TensorFlow is an open source platform for machine learning. The `AvgPoolOp` function takes an argument `ksize` that must be positive but is not checked. A negative `ksize` can trigger a `CHECK` failure and crash the program. We have patched the issue in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds to this issue.

Related Vulnerabilities

CVE-2006-4095

HIGH
CVSS:7.5(High)

BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers to cause a denial of service (crash) via certain SIG queries, which cause an assertion failure when multiple RRsets are returned.

CWE-6172006

CVE-2006-5779

HIGH
CVSS:7.5(High)

OpenLDAP before 2.3.29 allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure.

CWE-6172006

CVE-2006-6767

HIGH
CVSS:7.5(High)

oftpd before 0.3.7 allows remote attackers to cause a denial of service (daemon abort) via a (1) LPRT or (2) LPASV command with an unsupported address family, which triggers an assertion failure.

CWE-6172006

CVE-2011-3596

HIGH
CVSS:7.5(High)

Polipo before 1.0.4.1 suffers from a DoD vulnerability via specially-crafted HTTP POST / PUT request.

CWE-6172011

CVE-2015-8012

HIGH
CVSS:7.5(High)

lldpd before 0.8.0 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet.

CWE-6172015

CVE-2016-8864

HIGH
CVSS:7.5(High)

named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record ...

CWE-6172016