CVE-2022-29211: 
Python vulnerability analysis and mitigation

TensorFlow, an open source platform for machine learning, was found to have a vulnerability in the implementation of tf.histogram_fixed_width prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4. The vulnerability (CVE-2022-29211) was discovered in December 2020 and patched in May 2022. The affected function would crash when the values array contained Not a Number (NaN) elements (GitHub Advisory).

The vulnerability occurs because the implementation assumes all floating point operations are defined and then converts a floating point result to an integer index. When the input values contain NaN elements, the result of the division operation remains NaN, and the subsequent cast to int32 results in a crash. This vulnerability only affects the CPU implementation of the function (GitHub Advisory). The CVSS v3.1 base score for this vulnerability is 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a crash of the application when processing input data containing NaN values, resulting in a denial of service condition (GitHub Advisory).

The vulnerability has been patched in TensorFlow versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4. Users are advised to upgrade to one of these patched versions. The fix was implemented in GitHub commit e57fd691c7b0fd00ea3bfe43444f30c1969748b5, which adds validation to check for NaN values before processing (GitHub Advisory).