CVE-2022-23594 (CNNVD-202202-426)
中文标题:
Google TensorFlow 缓冲区错误漏洞
英文标题:
Out of bounds read in Tensorflow
漏洞描述
中文描述:
Google TensorFlow是美国谷歌(Google)公司的一套用于机器学习的端到端开源平台。 Tensorflow 存在缓冲区错误漏洞,如果攻击者可利用该漏洞改变磁盘上的SavedModel格式使这些假设无效,然后GraphDef被转换为基于mlir的IR,那么它们可能会导致Python解释器崩溃。
英文描述:
Tensorflow is an Open Source Machine Learning Framework. The TFG dialect of TensorFlow (MLIR) makes several assumptions about the incoming `GraphDef` before converting it to the MLIR-based dialect. If an attacker changes the `SavedModel` format on disk to invalidate these assumptions and the `GraphDef` is then converted to MLIR-based IR then they can cause a crash in the Python interpreter. Under certain scenarios, heap OOB read/writes are possible. These issues have been discovered via fuzzing and it is possible that more weaknesses exist. We will patch them as they are discovered.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| tensorflow | tensorflow | >= 2.7.0, < 2.8.0 | - | - |
cpe:2.3:a:tensorflow:tensorflow:>=_2.7.0,_<_2.8.0:*:*:*:*:*:*:*
|
| tensorflow | 2.7.0 | - | - |
cpe:2.3:a:google:tensorflow:2.7.0:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2022-23594 |
2025-11-11 15:21:18 | 2025-11-11 07:37:20 |
| NVD | nvd_CVE-2022-23594 |
2025-11-11 14:58:14 | 2025-11-11 07:45:36 |
| CNNVD | cnnvd_CNNVD-202202-426 |
2025-11-11 15:10:49 | 2025-11-11 07:57:09 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 缓冲区错误
- cnnvd_id: 未提取 -> CNNVD-202202-426
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']