High severityNVD Advisory· Published Feb 4, 2022· Updated Apr 22, 2025
Null-dereference in Tensorflow
CVE-2022-23577
Description
Tensorflow is an Open Source Machine Learning Framework. The implementation of GetInitOp is vulnerable to a crash caused by dereferencing a null pointer. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | < 2.5.3 | 2.5.3 |
tensorflowPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflowPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-cpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-cpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-cpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
tensorflow-gpuPyPI | < 2.5.3 | 2.5.3 |
tensorflow-gpuPyPI | >= 2.6.0, < 2.6.3 | 2.6.3 |
tensorflow-gpuPyPI | >= 2.7.0, < 2.7.1 | 2.7.1 |
Affected products
1- Range: < 2.8.0
Patches
14f38b1ac8e42Prevent null dereference read in `GetInitOp`.
1 file changed · +8 −3
tensorflow/cc/saved_model/loader_util.cc+8 −3 modified@@ -34,9 +34,14 @@ Status GetInitOp(const string& export_dir, const MetaGraphDef& meta_graph_def, const auto& init_op_sig_it = meta_graph_def.signature_def().find(kSavedModelInitOpSignatureKey); if (init_op_sig_it != sig_def_map.end()) { - *init_op_name = init_op_sig_it->second.outputs() - .find(kSavedModelInitOpSignatureKey) - ->second.name(); + const auto& sig_def_outputs = init_op_sig_it->second.outputs(); + const auto& sig_def_outputs_it = + sig_def_outputs.find(kSavedModelInitOpSignatureKey); + if (sig_def_outputs_it == sig_def_outputs.end()) { + return errors::FailedPrecondition("Could not find output ", + kSavedModelInitOpSignatureKey); + } + *init_op_name = sig_def_outputs_it->second.name(); return Status::OK(); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8cxv-76p7-jxwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23577ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-86.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-141.yamlghsaWEB
- github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/cc/saved_model/loader_util.ccghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/commit/4f38b1ac8e42727e18a2f0bde06d3bee8e77b250ghsax_refsource_MISCWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-8cxv-76p7-jxwrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.