NULL pointer dereference in TensorFlow - CVE-2022-29207
Published: May 17, 2022 / Updated: May 3, 2026
Vulnerability identifier: #VU129135
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-29207
CWE-ID: CWE-476
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
TensorFlow
TensorFlow
Software vendor:
TensorFlow
TensorFlow
Description
The vulnerability allows a local user to cause undefined behavior.
The vulnerability exists due to a null pointer dereference in TensorFlow resource handle processing when handling invalid resource handles in eager mode. A local user can supply an empty or otherwise invalid resource handle to trigger undefined behavior.
The issue is reachable in eager mode, while the same API calls would be impossible in graph mode.
Remediation
Install security update from vendor's website.