CVE-2022-23585: 
Python vulnerability analysis and mitigation

A memory leak vulnerability was discovered in TensorFlow's PNG image decoding functionality, identified as CVE-2022-23585. When processing invalid PNG images, TensorFlow could produce a memory leak after calling png::CommonInitDecode(..., &decode). The vulnerability affects TensorFlow versions prior to 2.8.0, including versions 2.5.x, 2.6.x, and 2.7.x. The issue was disclosed and patched in February 2022 (GitHub Advisory).

The vulnerability occurs because the decode value contains allocated buffers that can only be freed by calling png::CommonFreeDecode(&decode). However, several error cases in the function implementation invoke the OP_REQUIRES macro, which immediately terminates the execution of the function without allowing the memory to be freed. This results in a memory leak condition (TF Source). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (NVD).

The vulnerability leads to memory leaks when processing invalid PNG images, which could potentially cause resource exhaustion over time if exploited repeatedly. While the direct impact is limited to memory consumption, it could affect system stability and performance in production environments (GitHub Advisory).

The issue has been patched in TensorFlow 2.8.0. Additionally, the fix has been backported to TensorFlow 2.7.1, 2.6.3, and 2.5.3. Users are advised to upgrade to these patched versions. The fix implements proper cleanup using a gtl::MakeCleanup object to ensure memory is freed even when OP_REQUIRES macro is invoked (GitHub Patch).