TensorFlow has double free in Fractional(Max/Avg)Pool
CVE-2023-25801

8HIGH

Key Information:

Vendor: Tensorflow
Status: Tensorflow
Vendor: CVE Published:; 25 March 2023

What is CVE-2023-25801?

In TensorFlow, the functions nn_ops.fractional_avg_pool_v2 and nn_ops.fractional_max_pool_v2 have a specific requirement where their pooling_ratio parameter's first and fourth elements must equal 1.0. This limitation is critical as pooling on batch and channel dimensions is not currently supported, potentially leading to unexpected behavior in machine learning applications. An official patch is available in TensorFlow versions 2.12.0 and 2.11.1 to rectify this issue.

Affected Version(s)

tensorflow < 2.11.1

References

https://github.com/tensorflow/tensorflow/security/advisor...

x_refsource_CONFIRM

https://github.com/tensorflow/tensorflow/commit/ee50d1e00...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 25, 2023
Vulnerability Reserved
Feb 15, 2023

Tensorflow

What is CVE-2023-25801?

Affected Version(s)

References

CVSS V3.1

Timeline