Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-25667— TensorFlow vulnerable to segfault when opening multiframe gif

CVSS 6.5 · Medium EPSS 0.21% · P43
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-25667

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
TensorFlow vulnerable to segfault when opening multiframe gif
Source: NVD (National Vulnerability Database)
Vulnerability Description
TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, integer overflow occurs when `2^31 <= num_frames * height * width * channels < 2^32`, for example Full HD screencast of at least 346 frames. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
整数溢出或超界折返
Source: NVD (National Vulnerability Database)
Vulnerability Title
Google TensorFlow 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Google TensorFlow是美国谷歌(Google)公司的一套用于机器学习的端到端开源平台。 Google TensorFlow 2.12.0 版本之前的 2.12 版本和 2.11.1 版本之前的 2.11 版本存在输入验证错误漏洞,该漏洞源于当“2^31 <= num_frames * height * width * channels < 2^32”时会发生整数溢出,例如至少 346 帧的全高清截屏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
tensorflowtensorflow < 2.11.1 -

II. Public POCs for CVE-2023-25667

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-25667

登录查看更多情报信息。

Same Patch Batch · tensorflow · 2023-03-24 · 20 CVEs total

CVE-2023-256689.8 CRITICALTensorFlow vulnerable to heap out-of-buffer read in the QuantizeAndDequantize operation
CVE-2023-258018.0 HIGHTensorFlow has double free in Fractional(Max/Avg)Pool
CVE-2023-256697.5 HIGHTensorFlow has Floating Point Exception in AvgPoolGrad with XLA
CVE-2023-275797.5 HIGHTensorFlow has Floating Point Exception in TFLite in conv kernel
CVE-2023-256767.5 HIGHTensorFlow has null dereference on ParallelConcat with XLA
CVE-2023-256757.5 HIGHTensorFlow has Segfault in Bincount with XLA
CVE-2023-256747.5 HIGHTensorFlow has Null Pointer Error in RandomShuffle with XLA enable
CVE-2023-256737.5 HIGHTensorFlow has Floating Point Exception in TensorListSplit with XLA
CVE-2023-256727.5 HIGHTensorFlow has Null Pointer Error in LookupTableImportV2
CVE-2023-256717.5 HIGHTensorFlow has segmentation fault in tfg-translate
CVE-2023-256707.5 HIGHTensorFlow has Null Pointer Error in QuantizedMatMulWithBiasAndDequantize
CVE-2023-256607.5 HIGHTensorFlow vulnerable to seg fault in `tf.raw_ops.Print`
CVE-2023-256657.5 HIGHTensorFlow has Null Pointer Error in SparseSparseMaximum
CVE-2023-256667.5 HIGHTensorFlow has Floating Point Exception in AudioSpectrogram
CVE-2023-256647.5 HIGHTensorFlow vulnerable to Heap Buffer Overflow in AvgPoolGrad
CVE-2023-256637.5 HIGHTensorFlow has Null Pointer Error in TensorArrayConcatV2
CVE-2023-256627.5 HIGHTensorFlow vulnerable to integer overflow in EditDistance
CVE-2023-256587.5 HIGHTensorFlow vulnerable to Out-of-Bounds Read in GRUBlockCellGrad
CVE-2023-256597.5 HIGHTensorFlow vulnerable to Out-of-Bounds Read in DynamicStitch

IV. Related Vulnerabilities

Same product: tensorflow
Same vendor: tensorflow
Same weakness: CWE-190

V. Comments for CVE-2023-25667

No comments yet

Leave a comment