GHSA-mw6j-hh29-h379: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-mw6j-hh29-h379) affects the implementation of depthwise operations in TensorFlow, discovered in May 2022. This security flaw impacts multiple versions of TensorFlow packages (tensorflow, tensorflow-cpu, tensorflow-gpu) affecting versions < 2.6.4, >= 2.7.0 < 2.7.2, and >= 2.8.0 < 2.8.1. The vulnerability is related to a previous issue (CVE-2021-41197) and was reported by Neophytos Christou from Secure Systems Lab at Brown University (GitHub Advisory).

The vulnerability stems from a CHECK-failure (assertion failure) in depthwise operations caused by overflowing the number of elements in a tensor. The issue occurs when handling large tensor shapes, where the total number of elements must fit within an int64_t type. When an overflow happens, the MultiplyWithoutOverflow function returns a negative result, leading to a CHECK-failure in most cases (TF Security).

The vulnerability can lead to a denial of service condition through CHECK-failure when exploited. This occurs when processing tensors with specific configurations that trigger the overflow condition (GitHub Advisory).

The issue has been patched in multiple versions: TensorFlow 2.6.4, 2.7.2, 2.8.1, and 2.9.0. The fix involves using AddDimWithStatus instead of AddDim to catch and report integer overflow gracefully. The patch was implemented in GitHub commit 3796cc4fcd93ae55812a457abc96dcd55fbb854b (GitHub Commit).