CVE-2021-29520

TensorFlow CVE-2021-29520 concerns a heap buffer overflow in Conv3DBackprop* due to missing validation that assumes input, filter_sizes, and out_backprop have identical shapes. Multiple sources (OSV entries and GHSA advisory) corroborate the issue and patch lineage. The vulnerability affects Conv...

CVE-2021-29521

TensorFlow CVE-2021-29521: A bug in tf.raw_ops.SparseCountSparseOutput triggers a segmentation fault when dense_shape contains negative values. Root cause is the implementation assuming the first element of dense_shape is positive to initialize BatchedMap; with multi-element shapes, num_batches d...

CVE-2021-29523

CVE-2021-29523 : TensorFlow vulnerability where a crafted input for AddManySparseToTensorsMap can trigger a denial-of-service via a CHECK failure in TensorShapeInitDims when sparse_shape values overflow. Root cause: legacy TensorShapeBase constructor multiplies dimensions with potential overflow,...

CVE-2021-29524

TensorFlow (Conv2DBackpropFilter) suffers a division-by-zero vulnerability caused by a modulus operation in conv_grad_shape_utils.cc where the divisor is supplied by the caller. The concrete issue has been tracked as CVE-2021-29524 and is documented across multiple sources (OSV and Ghsa advisorie...

CVE-2021-29524 Division by 0 in `Conv2DBackpropFilter`

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in tf.rawops.Conv2DBackpropFilter. This is because the...

CVE-2021-29585 Division by zero in padding computation in TFLite

TensorFlow is an end-to-end open source platform for machine learning. The TFLite computation for size of output after padding, ComputeOutSizehttps://github.com/tensorflow/tensorflow/blob/0c9692ae7b1671c983569e5d3de5565843d500cf/tensorflow/lite/kernels/padding.hL43-L55, does not check that the...

CVE-2021-29585

TensorFlow/TFLite padding compute path has a division-by-zero in ComputeOutSize when stride is 0, enabling a potential denial-of-service scenario via crafted models. The issue affects padding logic in TF Lite; patches were applied in commit 49847ae and a fix is planned for TensorFlow 2.5.0 with c...

CVE-2021-29586

CVE-2021-29586 affects TensorFlow (TFLite pooling) where optimized pooling implementations fail to validate stride values, allowing params->stride_height/width to be zero and cause a division by zero in ComputePaddingHeightWidth. Practically, this is a vulnerability in the pooling path of Tens...

CVE-2021-29586 Division by zero in optimized pooling implementations in TFLite

TensorFlow is an end-to-end open source platform for machine learning. Optimized pooling implementations in TFLite fail to check that the stride arguments are not 0 before calling...

CVE-2021-29615

CVE-2021-29615 affects TensorFlow and involves a stack overflow in the ParseAttrValue implementation caused by recursive parsing of nested attributes. Connected sources (OSV/GHSA/CNVD/NVD entries) consistently describe this as a vulnerability in TensorFlow’s attribute parsing path, with the fix s...

CVE-2021-29616

CVE-2021-29616 affects TensorFlow: the TrySimplify path in Grappler dereferences a null pointer in corner cases (optimizing a node with no inputs). This is a null-dereference vulnerability in the TensorFlow optimization code, not a user-facing attack surface description. The issue has been fixed ...

CVE-2021-29618

TensorFlow vulnerability CVE-2021-29618: a crash can occur when calling tf.transpose with conjugate=True and a complex input. Affected TF releases include 2.1.x–2.4.x in the supported range; the fix is planned for TensorFlow 2.5.0 with cherry-picks to 2.4.2, 2.3.3, 2.2.3, and 2.1.4. Concrete tech...

CVE-2021-29619

CVE-2021-29619 affects TensorFlow via tf.raw_ops.SparseCountSparseOutput, where passing invalid arguments (including fuzzing-derived inputs) can cause a segfault. Connected sources confirm this is a TensorFlow in-tree issue with a fix planned for TensorFlow 2.5.0 and cherry-picks in supported 2.x...

CVE-2021-29587

TensorFlow/TFLite SpaceToDepth has a division-by-zero flaw in the Prepare step when block_size can be zero. This is triggered by crafted inputs/models and can lead to instability/DoS. The issue is mitigated by a patch in TensorFlow 2.5.0 (and cherry-picks to 2.4.2, 2.3.3, 2.2.3, 2.1.4). Remediati...

CVE-2021-29587 Division by zero in TFLite's implementation of `SpaceToDepth`

TensorFlow is an end-to-end open source platform for machine learning. The Prepare step of the SpaceToDepth TFLite operator does not check for 0 before divisionhttps://github.com/tensorflow/tensorflow/blob/5f7975d09eac0f10ed8a17dbb6f5964977725adc/tensorflow/lite/kernels/spacetodepth.ccL63-L67. An...

CVE-2021-29588

TensorFlow/TFLite issue: the TransposeConv operator in the TFLite backend is vulnerable to a division-by-zero when stride_h/stride_w can be 0, enabling a crafted model to trigger a fault. Root cause follows from the division calculations in optimized_ops.h, requiring callers to validate stride ar...

CVE-2021-29589

CVE-2021-29589 concerns TensorFlow GatherNd in TFLite. The vulnerability is a division-by-zero error when the params input is an empty tensor, triggered by constructing a model that makes params_shape.Dims(.) zero. This can cause a denial of service. A fix is included in TensorFlow 2.5.0, with ch...

CVE-2021-29590

TensorFlow/TFLite Minimum and Maximum operators are vulnerable to a heap-based out-of-bounds read when either input tensor is empty, due to broadcasting code indexing both tensors without bounds validation. The issue affects TF/TFLite, with fixes planned for TensorFlow 2.5.0 and cherry-picked bac...

CVE-2021-29591

TensorFlow/TfLite vulnerability CVE-2021-29591 stems from loops in TFlite subgraphs (example: While) allowing potential infinite recursion and stack exhaustion during evaluation. Affected: TensorFlow/TfLite; root cause: unchecked looping between body and loop subgraphs. Impact described as stack ...

CVE-2021-29592

Summary: CVE-2021-29592 is a null pointer dereference in TensorFlow’s TFLite Reshape operator. The issue arises when the target shape is supplied by a 1-D tensor; a fix previously for CVE-2020-15209 was incomplete, potentially allowing a null buffer to be treated as valid input for a 1-D shape, l...