PT-2023-4898 · Linux +6 · Linux Kernel +6

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A use-after-free vulnerability in the Linux kernel's net/sched: cls route component can be exploited to achieve local privilege escalation. When route4 change is called on an existing...

PT-2022-24836 · Frontier · Frontier

Name of the Vulnerable Software and Affected Versions: Frontier versions prior to commit d3beddc6911a559a3ecc9b3f08e153dbe37a8658 Description: The issue arises from the worst case weight always being accounted as the block weight for all cases, which can lead to block spamming attacks in case of...

CVE-2022-35994

TensorFlow is an open source platform for machine learning. When CollectiveGather receives an scalar input input, it gives a CHECK fails that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit c1f491817dec39a26be3c574e86a88c30f3c4770. The fix will be...

CVE-2022-36005

TensorFlow is an open source platform for machine learning. When tf.quantization.fakequantwithminmaxvarsgradient receives input min or max that is nonscalar, it gives a CHECK fail that can trigger a denial of service attack. We have patched the issue in GitHub commit...

CVE-2022-35983

TensorFlow is an open source platform for machine learning. If Save or SaveSlices is run over tensors of an unsupported dtype, it results in a CHECK fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 5dd7b86b84a864b834c6fa3d7f9f51c87efa99d4. Th...

CVE-2022-35966

TensorFlow is an open source platform for machine learning. If QuantizedAvgPool is given mininput or maxinput tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit...

CVE-2022-35938

TensorFlow is an open source platform for machine learning. The GatherNd function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. This issue has been...

PYSEC-2021-752

TensorFlow is an end-to-end open source platform for machine learning. In affected versions if the arguments to tf.rawops.RaggedGather don't determine a valid ragged tensor code can trigger a read from outside of bounds of heap allocated buffers. The implementation directly reads the first...

GHSA-CFX7-2XPC-8W4H Division by zero in TFLite's implementation of `BatchToSpaceNd`

Impact The implementation of the BatchToSpaceNd TFLite operator is vulnerable to a division by zero error: cc TFLITEENSUREEQcontext, outputbatchsize % blockshapedim, 0; outputbatchsize = outputbatchsize / blockshapedim; An attacker can craft a model such that one dimension of the block input is 0...

GHSA-GVM4-H8J3-RJRQ CHECK-fail in `LoadAndRemapMatrix`

Impact An attacker can cause a denial of service by exploiting a CHECK-failure coming from tf.rawops.LoadAndRemapMatrix: python import tensorflow as tf ckptpath = tf.constant, shape=0, dtype=tf.string oldtensorname = tf.constant"" rowremapping = tf.constant, shape=0, dtype=tf.int64 colremapping =...

GHSA-X4G7-FVJJ-PRG8 Division by 0 in `QuantizedConv2D`

Impact An attacker can trigger a division by 0 in tf.rawops.QuantizedConv2D: python import tensorflow as tf input = tf.zeros1, 1, 1, 1, dtype=tf.quint8 filter = tf.constant, shape=1, 0, 1, 1, dtype=tf.quint8 mininput = tf.constant0.0 maxinput = tf.constant0.0001 minfilter = tf.constant0.0 maxfilt...

PYSEC-2020-289

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a nullptr buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one...

PYSEC-2020-291

In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indice...

PYSEC-2020-128

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the datasplits argument of tf.rawops.StringNGrams lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after ...

CVE-2020-15209

In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a nullptr buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one...

Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass

We already reported four bugs in Android that are caused by the use of getpidcon, which is fundamentally unsafe: https://bugs.chromium.org/p/project-zero/issues/detail?id=727 AndroidID-27111481; unexploitable https://bugs.chromium.org/p/project-zero/issues/detail?id=851 AndroidID-29431260;...