CVE-2022-36016: 
Python vulnerability analysis and mitigation

TensorFlow, an open source platform for machine learning, was found to have a vulnerability (CVE-2022-36016) where the tensorflow::full_type::SubstituteFromAttrs function triggers a CHECK-fail instead of returning a status when receiving a FullTypeDef& t that does not contain exactly three arguments. The vulnerability was discovered and disclosed in July 2022, affecting TensorFlow versions prior to 2.10.0 (GitHub Advisory).

The vulnerability exists in the input validation mechanism of the SubstituteFromAttrs function. When the function receives a FullTypeDef& t parameter with anything other than exactly three arguments, it triggers a CHECK-fail condition instead of properly handling the error by returning a status. This issue was addressed by replacing the DCHECK statement with explicit test and status return functionality (TensorFlow Commit).

The vulnerability has been classified as Low severity. When triggered, it causes a CHECK-fail condition in the TensorFlow framework, which could potentially lead to application instability or crashes when processing certain input configurations (GitHub Advisory).

The issue has been patched in multiple TensorFlow versions: 2.10.0, 2.9.1, 2.8.1, and 2.7.2. Users are advised to upgrade to these patched versions. The fix was implemented through GitHub commit 6104f0d4091c260ce9352f9155f7e9b725eab012. There are no known workarounds for this issue other than upgrading to a patched version (GitHub Advisory).