Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-n62z-1akp-ebck
Vulnerability ID VCID-n62z-1akp-ebck
Aliases BIT-tensorflow-2022-23584
CVE-2022-23584
GHSA-24x4-6qmh-88qg
PYSEC-2022-148
PYSEC-2022-93
Summary Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a use after free behavior when decoding PNG images. After `png::CommonFreeDecode(&decode)` gets called, the values of `decode.width` and `decode.height` are in an unspecified state. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-416 Use After Free
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00252 https://api.first.org/data/v1/epss?cve=CVE-2022-23584
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-24x4-6qmh-88qg
cvssv3.1 7.6 https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-93.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-93.yaml
cvssv3.1 7.6 https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-148.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-148.yaml
cvssv3.1 7.6 https://github.com/tensorflow/tensorflow
generic_textual HIGH https://github.com/tensorflow/tensorflow
cvssv3.1 7.6 https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346
generic_textual HIGH https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346
ssvc Track https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346
cvssv3.1 7.6 https://github.com/tensorflow/tensorflow/commit/e746adbfcfee15e9cfdb391ff746c765b99bdf9b
generic_textual HIGH https://github.com/tensorflow/tensorflow/commit/e746adbfcfee15e9cfdb391ff746c765b99bdf9b
ssvc Track https://github.com/tensorflow/tensorflow/commit/e746adbfcfee15e9cfdb391ff746c765b99bdf9b
cvssv3.1 7.6 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x4-6qmh-88qg
cvssv3.1_qr HIGH https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x4-6qmh-88qg
generic_textual HIGH https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x4-6qmh-88qg
ssvc Track https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x4-6qmh-88qg
cvssv3.1 7.6 https://nvd.nist.gov/vuln/detail/CVE-2022-23584
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-23584
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-23584
https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-93.yaml
https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-148.yaml
https://github.com/tensorflow/tensorflow
https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346
https://github.com/tensorflow/tensorflow/commit/e746adbfcfee15e9cfdb391ff746c765b99bdf9b
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x4-6qmh-88qg
CVE-2022-23584 https://nvd.nist.gov/vuln/detail/CVE-2022-23584
GHSA-24x4-6qmh-88qg https://github.com/advisories/GHSA-24x4-6qmh-88qg
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-93.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-148.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/tensorflow/tensorflow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:51:15Z/ Found at https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/tensorflow/tensorflow/commit/e746adbfcfee15e9cfdb391ff746c765b99bdf9b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:51:15Z/ Found at https://github.com/tensorflow/tensorflow/commit/e746adbfcfee15e9cfdb391ff746c765b99bdf9b
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x4-6qmh-88qg
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:51:15Z/ Found at https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x4-6qmh-88qg
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23584
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.4871
EPSS Score 0.00252
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:29:42.943416+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/tensorflow-gpu/PYSEC-2022-148.yaml 38.6.0