VulnerableCode Vulnerability Details - VCID-qp8b-wyj4-h7e4

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-qp8b-wyj4-h7e4

Essentials
Severities (6)
References (5)
Severity details (6)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-qp8b-wyj4-h7e4
Aliases	GHSA-mw6j-hh29-h379 GMS-2022-1528 GMS-2022-1532 GMS-2022-1536
Summary	`CHECK` failure in depthwise ops via overflows ### Impact The implementation of depthwise ops in TensorFlow is vulnerable to a denial of service via `CHECK`-failure (assertion failure) caused by overflowing the number of elements in a tensor: ```python import tensorflow as tf input = tf.constant(1, shape=[1, 4, 4, 3], dtype=tf.float32) filter_sizes = tf.constant(1879048192, shape=[13], dtype=tf.int32) out_backprop = tf.constant(1, shape=[1, 4, 4, 3], dtype=tf.float32) tf.raw_ops.DepthwiseConv2dNativeBackpropFilter( input=input, filter_sizes=filter_sizes, out_backprop=out_backprop, strides=[1, 1, 1, 1], padding="SAME") ``` This is another instance of [TFSA-2021-198](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-198.md) (CVE-2021-41197). ### Patches We have patched the issue in GitHub commit [3796cc4fcd93ae55812a457abc96dcd55fbb854b](https://github.com/tensorflow/tensorflow/commit/3796cc4fcd93ae55812a457abc96dcd55fbb854b). The fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability has been reported by Neophytos Christou from Secure Systems Lab at Brown University.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-190	Integer Overflow or Wraparound
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-mw6j-hh29-h379
generic_textual	MODERATE	https://github.com/tensorflow/tensorflow
generic_textual	MODERATE	https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-198.md
generic_textual	MODERATE	https://github.com/tensorflow/tensorflow/commit/3796cc4fcd93ae55812a457abc96dcd55fbb854b
cvssv3.1_qr	MODERATE	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mw6j-hh29-h379
generic_textual	MODERATE	https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mw6j-hh29-h379

Reference id	Reference type	URL
		https://github.com/tensorflow/tensorflow
		https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-198.md
		https://github.com/tensorflow/tensorflow/commit/3796cc4fcd93ae55812a457abc96dcd55fbb854b
		https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mw6j-hh29-h379
GHSA-mw6j-hh29-h379		https://github.com/advisories/GHSA-mw6j-hh29-h379

No exploits are available.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T17:54:42.701058+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mw6j-hh29-h379/GHSA-mw6j-hh29-h379.json	38.6.0