CVE-2022-23564: 
Python vulnerability analysis and mitigation

TensorFlow, an Open Source Machine Learning Framework, was found to contain a vulnerability (CVE-2022-23564) where a process could encounter cases where a CHECK assertion is invalidated based on user-controlled arguments when decoding a resource handle tensor from protobuf. This vulnerability was discovered and disclosed in February 2022, affecting TensorFlow versions prior to 2.8.0 (GitHub Advisory, NVD).

The vulnerability occurs during the decoding of resource handle tensors from protobuf format. When processing these tensors, the system fails to properly validate user-controlled arguments, leading to an invalidation of CHECK assertions. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

This vulnerability allows attackers to cause denial of service in TensorFlow processes. The impact is primarily on the availability of the system, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in multiple versions: TensorFlow 2.8.0 (main fix), 2.7.1, 2.6.3, and 2.5.3. Users are advised to upgrade to these patched versions. The fix was implemented in commit 14fea662350e7c26eb5fe1be2ac31704e5682ee6, which addresses the issue by improving the validation of resource handle tensors during protobuf decoding (GitHub Advisory).