CVE-2022-29207 MEDIUM

CVE-2022-29207: Undefined behavior when users supply invalid resource handles in TensorFlow

Vendor Tensorflow

Product tensorflow

Weakness CWE-20 · Input validation

Published May 20, 2022

Last update April 22, 2025

View on NVD All CVEs

CVSS base score

5.5/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, multiple TensorFlow operations misbehave in eager mode when the resource handle provided to them is invalid. In graph mode, it would have been impossible to perform these API calls, but migration to TF 2.x eager mode opened up this vulnerability. If the resource handle is empty, then a reference is bound to a null pointer inside TensorFlow codebase (various codepaths). This is undefined behavior. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

Key dates

02Disclosure timeline

May 20, 2022 CVE published

April 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-29207 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

Identifiers

CVE CVE-2022-29207

CWE CWE-20

CVSS 5.5 / MEDIUM

Affected versions

Vendor Tensorflow

Product tensorflow

Affected < 2.6.4

Vendor Tensorflow

Product tensorflow

Affected >= 2.7.0rc0, < 2.7.2

Vendor Tensorflow

Product tensorflow

Affected >= 2.8.0rc0, < 2.8.1

Vendor Tensorflow

Product tensorflow

Affected >= 2.9.0rc0, < 2.9.0

CVE-2022-29207: Undefined behavior when users supply invalid resource handles in TensorFlow

01Description

02Disclosure timeline

03References

04Related CVE