CVE-2021-41226 Heap OOB read in `SparseBinCount`

TensorFlow is an open source platform for machine learning. In affected versions the implementation of SparseBinCount is vulnerable to a heap OOB access. This is because of missing validation between the elements of the values argument and the shape of the sparse output. The fix will be included ...

CVE-2021-41226

TensorFlow SparseBinCount is affected by a heap out-of-bounds (OOB) access due to missing validation between the values and the sparse output shape. Reports in CVE-2021-41226 and related advisories identify this as the root cause in affected TF versions. The fix is planned for TensorFlow 2.7.0, w...

CVE-2021-41223

CVE-2021-41223 describes a heap out-of-bounds (OOB) access in TensorFlow's FusedBatchNorm kernels in affected releases. The vulnerability affects the FusedBatchNorm implementation; the fix is planned for TensorFlow 2.7.0, with cherry-picks to 2.6.1, 2.5.2, and 2.4.4 (still in supported range). Mu...

CVE-2021-41223 Heap OOB read in `FusedBatchNorm` kernels

TensorFlow is an open source platform for machine learning. In affected versions the implementation of FusedBatchNorm kernels is vulnerable to a heap OOB access. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow...

CVE-2021-41224

TensorFlow SparseFillEmptyRows vulnerability (CVE-2021-41224): heap-based out-of-bounds access triggered when indices length does not match values length. Affected in TF versions before 2.7.0; fix included in TF 2.7.0 and cherry-picked to 2.6.1, 2.5.2, and 2.4.4. Remediation: upgrade to TF 2.7.0+...

CVE-2021-41212

TensorFlow ragged.cross shape inference has a heap-based out-of-bounds read in affected releases prior to 2.7.0. The fix is in TensorFlow 2.7.0, with cherry-picks to 2.6.1, 2.5.2, and 2.4.4. Upgrade to 2.7.0+ or apply the patches to mitigate ICU/heap corruption risk. Other CVE trackers (OSV, GHSA...

CVE-2021-41212 Heap OOB read in `tf.ragged.cross`

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for tf.ragged.cross can trigger a read outside of bounds of heap allocated array. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1,...

CVE-2021-41211 Heap OOB read in shape inference for `QuantizeV2`

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for QuantizeV2 can trigger a read outside of bounds of heap allocated array. This occurs whenever axis is a negative value less than -1. In this case, we are accessing data before the start o...

CVE-2021-41211

CVE-2021-41211 / BIT-tensorflow-2021-41211 : TensorFlow’s QuantizeV2 shape inference can read outside the heap when axis

CVE-2021-41200

TensorFlow is an open source platform for machine learning. In affected versions if tf.summary.createfilewriter is called with non-scalar arguments code crashes due to a CHECK-fail. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow...

CVE-2021-41201

TensorFlow is an open source platform for machine learning. In affeced versions during execution, EinsumHelper::ParseEquation is supposed to set the flags in inputhasellipsis vector and outputhasellipsis boolean to indicate whether there is ellipsis in the corresponding inputs and output. However...

CVE-2021-41210

TensorFlow is an open source platform for machine learning. In affected versions the shape inference functions for SparseCountSparseOutput can trigger a read outside of bounds of heap allocated array. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow...

CVE-2021-41200

TensorFlow is an open source platform for machine learning. In affected versions if tf.summary.createfilewriter is called with non-scalar arguments code crashes due to a CHECK-fail. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow...

CVE-2021-41210

TensorFlow is an open source platform for machine learning. In affected versions the shape inference functions for SparseCountSparseOutput can trigger a read outside of bounds of heap allocated array. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow...

CVE-2021-41195

TensorFlow is an open source platform for machine learning. In affected versions the implementation of tf.math.segment operations results in a CHECK-fail related abort and denial of service if a segment id in segmentids is large. This is similar to CVE-2021-29584 and similar other reported...

CVE-2021-41196

TensorFlow is an open source platform for machine learning. In affected versions the Keras pooling layers can trigger a segfault if the size of the pool is 0 or if a dimension is negative. This is due to the TensorFlow's implementation of pooling operations where the values in the sliding window...

CVE-2021-41195

TensorFlow is an open source platform for machine learning. In affected versions the implementation of tf.math.segment operations results in a CHECK-fail related abort and denial of service if a segment id in segmentids is large. This is similar to CVE-2021-29584 and similar other reported...

CVE-2021-41196

TensorFlow is an open source platform for machine learning. In affected versions the Keras pooling layers can trigger a segfault if the size of the pool is 0 or if a dimension is negative. This is due to the TensorFlow's implementation of pooling operations where the values in the sliding window...

CVE-2021-41199

TensorFlow is an open source platform for machine learning. In affected versions if tf.image.resize is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. The number of elements in the output tensor is too much for the int64t typ...

CVE-2021-41197

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow allows tensor to have a large number of dimensions and each dimension can be as large as desired. However, the total number of elements in a tensor must fit within an int64t. If an overflow occurs,...