CVE-2023-25668 CRITICAL

CVE-2023-25668: TensorFlow vulnerable to heap out-of-buffer read in the QuantizeAndDequantize operation

Vendor Tensorflow
Product tensorflow
Weakness CWE-122
Published March 24, 2023
Last update February 19, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Key dates

02Disclosure timeline

March 24, 2023 CVE published
February 19, 2025 Record updated