CVE-2022-23593 MEDIUM

CVE-2022-23593: Segfault in `simplifyBroadcast` in Tensorflow

Vendor Tensorflow
Product tensorflow
Weakness CWE-754
Published February 4, 2022
Last update April 22, 2025

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Tensorflow is an Open Source Machine Learning Framework. The `simplifyBroadcast` function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault (hence, denial of service), if called with scalar shapes. If all shapes are scalar, then `maxRank` is 0, so we build an empty `SmallVector`. The fix will be included in TensorFlow 2.8.0. This is the only affected version.

Key dates

02Disclosure timeline

February 4, 2022 CVE published
April 22, 2025 Record updated

Related vulnerabilities

04Related CVE