5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-29210

GHSA ID

GHSA-hc2f-7r5r-r2hg

EPSS Score

0.10595%

CWE

CWE-120

Published

5/24/2022

Updated

6/30/2023

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29210

CVE-2022-29210: Heap buffer overflow due to incorrect hash function in TensorFlow

Impact

The TensorKey hash function used total estimated AllocatedBytes(), which (a) is an estimate per tensor, and (b) is a very poor hash function for constants (e.g. int32_t). It also tried to access individual tensor bytes through tensor.data() of size AllocatedBytes(). This led to ASAN failures because the AllocatedBytes() is an estimate of total bytes allocated by a tensor, including any pointed-to constructs (e.g. strings), and does not refer to contiguous bytes in the .data() buffer. We couldn't use this byte vector anyways, since types like tstring include pointers, whereas we need to hash the string values themselves.

Patches

We have patched the issue in GitHub commit 1b85a28d395dc91f4d22b5f9e1e9a22e92ccecd6.

The fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, which is the only other affected version.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-29210

CVE-2022-29210:

5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-29210

GHSA ID

GHSA-hc2f-7r5r-r2hg

EPSS Score

0.10595%

CWE

CWE-120

Published

5/24/2022

Updated

6/30/2023

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tensorflow	pip	>= 2.8.0, < 2.8.1	2.8.1
tensorflow-cpu	pip	>= 2.8.0, < 2.8.1	2.8.1
tensorflow-gpu	pip	>= 2.8.0, < 2.8.1	2.8.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the hash function implementation in TensorKey's AbslHashValue. The commit diff shows the original code iterated over AllocatedBytes() via tensor.data(), which is unsafe for non-contiguous types like tstring. The CVE description explicitly identifies this function as the root cause, and the patch replaces this logic with type-aware handling mirroring the == operator.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-29210: Heap buffer overflow due to incorrect hash function in TensorFlow

Impact

Patches

For more information

CVE-2022-29210:

5.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.5

5.5

Technical Details

CVE-2022-29210: Heap buffer overflow due to incorrect hash function in TensorFlow

Impact

Patches

For more information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI