CVE-2022-35938: 
TensorFlow vulnerability analysis and mitigation

The vulnerability (CVE-2022-35938) affects the GatherNd function in TensorFlow Lite Micro. The issue was discovered and disclosed in September 2022, where the GatherNd function could trigger an out-of-bounds memory read or crash when the inputs provided are greater than or equal to the sizes of the outputs (TF Advisory).

The vulnerability exists in the GatherNd operation implementation where input validation was insufficient. The function takes arguments that determine the sizes of inputs and outputs, but failed to properly validate these parameters before performing memory operations. This could lead to accessing memory locations outside the intended bounds when the inputs given are greater than or equal to the output sizes (TF Advisory).

When exploited, this vulnerability can cause out-of-bounds memory reads or result in application crashes. This could potentially lead to information disclosure or denial of service conditions in applications using the affected TensorFlow Lite Micro versions (TF Advisory).

The issue has been fixed in TensorFlow commit 4142e47e9e31db481781b955ed3ff807a781b494. Users should upgrade to the patched versions: TensorFlow 2.10.0, 2.9.2, 2.8.3, or 2.7.4. The fix includes additional validation checks to verify that an index is valid before performing memory reads (TF Advisory).