CVE-2022-35981: 
Python vulnerability analysis and mitigation

TensorFlow, an open source platform for machine learning, was found to have a vulnerability in its FractionalMaxPoolGrad function (CVE-2022-35981). The vulnerability was discovered where the function validates its inputs using CHECK failures instead of returning errors properly. This issue was reported by Neophytos Christou from Secure Systems Labs, Brown University, and was disclosed on September 15, 2022. The vulnerability affects TensorFlow versions prior to 2.10.0 (GitHub Advisory).

The vulnerability exists in the FractionalMaxPoolGrad function's input validation mechanism. When the function receives incorrectly sized inputs, it triggers CHECK failures rather than properly handling the errors and returning appropriate error messages. The issue has been assigned a CVSS v3.1 base score of 7.5 HIGH by NIST NVD, while GitHub rates it as 5.9 MEDIUM. The vulnerability is tracked as CWE-617 (Reachable Assertion) (NVD).

If exploited, this vulnerability can be used to trigger a denial of service (DoS) attack. When incorrectly sized inputs are provided to the FractionalMaxPoolGrad function, the CHECK failure can cause the application to crash, potentially disrupting the service availability (GitHub Advisory).

The vulnerability has been patched in TensorFlow version 2.10.0. The fix has also been backported to versions 2.7.2, 2.8.1, and 2.9.1. Users are advised to upgrade to these patched versions. The fix was implemented in GitHub commit 8741e57d163a079db05a7107a7609af70931def4, which changes the validation mechanism to return proper errors instead of CHECK failures. There are no known workarounds for this issue (GitHub Advisory).