Lucene search
+L

213 matches found

Github Security Blog
Github Security Blog
added 2021/05/21 2:27 p.m.40 views

Division by zero in TFLite's implementation of `SpaceToBatchNd`

Impact The implementation of the SpaceToBatchNd TFLite operator is vulnerable to a division by zero error: cc TFLITEENSUREEQcontext, finaldimsize % blockshapedim, 0; outputsize-datadim + 1 = finaldimsize / blockshapedim; An attacker can craft a model such that one dimension of the block input is ...

7.8CVSS1.9AI score0.00201EPSS
Exploits1References8Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:27 p.m.44 views

Division by zero in TFLite's implementation of `DepthToSpace`

Impact The implementation of the DepthToSpace TFLite operator is vulnerable to a division by zero error: cc const int blocksize = params-blocksize; ... const int inputchannels = input-dims-data3; ... int outputchannels = inputchannels / blocksize / blocksize; An attacker can craft a model such th...

7.8CVSS2.3AI score0.00201EPSS
Exploits1References7Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:27 p.m.49 views

Division by zero in TFLite's convolution code

Impact TFLite's convolution code has multiple division where the divisor is controlled by the user and not checked to be non-zero. For example: cc const int inputsize = NumElementsinput / SizeOfDimensioninput, 0; Patches We have patched the issue in GitHub commit...

7.8CVSS1.8AI score0.00201EPSS
Exploits1References8Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:27 p.m.33 views

Division by zero in TFLite's implementation of `BatchToSpaceNd`

Impact The implementation of the BatchToSpaceNd TFLite operator is vulnerable to a division by zero error: cc TFLITEENSUREEQcontext, outputbatchsize % blockshapedim, 0; outputbatchsize = outputbatchsize / blockshapedim; An attacker can craft a model such that one dimension of the block input is 0...

7.8CVSS1.3AI score0.00201EPSS
Exploits1References8Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:26 p.m.47 views

Null pointer dereference in TFLite's `Reshape` operator

Impact The fix for CVE-2020-15209 missed the case when the target shape of Reshape operator is given by the elements of a 1-D tensor. As such, the fix for the vulnerability allowed passing a null-buffer-backed tensor with a 1D shape: cc if tensor-data.raw == nullptr && tensor-bytes 0 if...

7.8CVSS0.6AI score0.008EPSS
Exploits2References8Affected Software3
OSV
OSV
added 2021/05/21 2:26 p.m.24 views

GHSA-24X6-8C7M-HV3F Heap OOB read in TFLite's implementation of `Minimum` or `Maximum`

Impact The implementations of the Minimum and Maximum TFLite operators can be used to read data outside of bounds of heap allocated objects, if any of the two input tensor arguments are empty. This is because the broadcasting implementation indexes in both tensors with the same index but does not...

2.5CVSS6.9AI score0.00198EPSS
Exploits1References8
Github Security Blog
Github Security Blog
added 2021/05/21 2:26 p.m.48 views

Division by zero in TFLite's implementation of `TransposeConv`

Impact The optimized implementation of the TransposeConv TFLite operator is vulnerable to a division by zero error: cc int heightcol = height + padt + padb - filterh / strideh + 1; int widthcol = width + padl + padr - filterw / stridew + 1; An attacker can craft a model such that strideh,w values...

7.8CVSS1.2AI score0.00201EPSS
Exploits1References8Affected Software3
OSV
OSV
added 2021/05/21 2:26 p.m.2 views

GHSA-26J7-6W8W-7922 Division by zero in optimized pooling implementations in TFLite

Impact Optimized pooling implementations in TFLite fail to check that the stride arguments are not 0 before calling ComputePaddingHeightWidth. Since users can craft special models which will have params-strideheight,width be zero, this will result in a division by zero. Patches We have patched th...

2.5CVSS5.8AI score0.00201EPSS
Exploits1References8
Github Security Blog
Github Security Blog
added 2021/05/21 2:26 p.m.34 views

Overflow/denial of service in `tf.raw_ops.ReverseSequence`

Impact The implementation of tf.rawops.ReverseSequence allows for stack overflow and/or CHECK-fail based denial of service. python import tensorflow as tf input = tf.zeros1, 1, 1, dtype=tf.int32 seqlengths = tf.constant0, shape=1, dtype=tf.int32 tf.rawops.ReverseSequence input=input,...

5.5CVSS2.6AI score0.00198EPSS
Exploits1References7Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:26 p.m.31 views

Undefined behavior in `MaxPool3DGradGrad`

Impact The implementation of tf.rawops.MaxPool3DGradGrad exhibits undefined behavior by dereferencing null pointers backing attacker-supplied empty tensors: python import tensorflow as tf originput = tf.constant0.0, shape=1, 1, 1, 1, 1, dtype=tf.float32 origoutput = tf.constant0.0, shape=1, 1, 1,...

7.8CVSS2.9AI score0.00201EPSS
Exploits1References7Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:26 p.m.41 views

Division by 0 in `MaxPoolGradWithArgmax`

Impact The implementation of tf.rawops.MaxPoolGradWithArgmax is vulnerable to a division by 0: python import tensorflow as tf input = tf.constant, shape=0, 0, 0, 0, dtype=tf.float32 grad = tf.constant, shape=0, 0, 0, 0, dtype=tf.float32 argmax = tf.constant, shape=0, dtype=tf.int64 ksize = 1, 1, ...

5.5CVSS2.4AI score0.00189EPSS
Exploits1References7Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:25 p.m.37 views

Reference binding to nullptr in `SdcaOptimizer`

Impact The implementation of tf.rawops.SdcaOptimizer triggers undefined behavior due to dereferencing a null pointer: python import tensorflow as tf sparseexampleindices = tf.constant0, dtype=tf.int64, tf.constant0, dtype=tf.int64 sparsefeatureindices = tf.constant, shape=0, 0, 0, 0,...

5.5CVSS1.1AI score0.00189EPSS
Exploits1References7Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:25 p.m.29 views

Heap out of bounds read in `MaxPoolGradWithArgmax`

Impact The implementation of tf.rawops.MaxPoolGradWithArgmax can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs: python import tensorflow as tf input = tf.constant10.0, 10.0, 10.0, shape=1, 1, 3, 1, dtype=tf.float32 grad = tf.constant10.0, 10.0,...

7.1CVSS1.2AI score0.00154EPSS
Exploits0References7Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:25 p.m.41 views

Reference binding to null in `ParameterizedTruncatedNormal`

Impact An attacker can trigger undefined behavior by binding to null pointer in tf.rawops.ParameterizedTruncatedNormal: python import tensorflow as tf shape = tf.constant, shape=0, dtype=tf.int32 means = tf.constant1, dtype=tf.float32 stdevs = tf.constant1, dtype=tf.float32 minvals = tf.constant1...

7.8CVSS1.9AI score0.00197EPSS
Exploits1References7Affected Software3
OSV
OSV
added 2021/05/21 2:25 p.m.23 views

GHSA-36VM-XW34-X4PJ CHECK-fail in `tf.raw_ops.IRFFT`

Impact An attacker can cause a denial of service by exploiting a CHECK-failure coming from the implementation of tf.rawops.IRFFT: python import tensorflow as tf values = -10.0 130 values0 = -9.999999999999995 inputs = tf.constantvalues, shape=10, 13, dtype=tf.float32 inputs = tf.castinputs,...

2.5CVSS5.8AI score0.00189EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2021/05/21 2:24 p.m.35 views

Heap OOB access in unicode ops

Impact An attacker can access data outside of bounds of heap allocated array in tf.rawops.UnicodeEncode: python import tensorflow as tf inputvalues = tf.constant58, shape=1, dtype=tf.int32 inputsplits = tf.constant81, 101, 0, shape=3, dtype=tf.int32 outputencoding = "UTF-8" tf.rawops.UnicodeEncod...

7.1CVSS1.3AI score0.00198EPSS
Exploits1References7Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:23 p.m.38 views

Division by 0 in `FusedBatchNorm`

Impact An attacker can cause a denial of service via a FPE runtime error in tf.rawops.FusedBatchNorm: python import tensorflow as tf x = tf.constant, shape=1, 1, 1, 0, dtype=tf.float32 scale = tf.constant, shape=0, dtype=tf.float32 offset = tf.constant, shape=0, dtype=tf.float32 mean = tf.constan...

5.5CVSS2.3AI score0.00189EPSS
Exploits1References7Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:23 p.m.35 views

Division by 0 in `DenseCountSparseOutput`

Impact An attacker can cause a denial of service via a FPE runtime error in tf.rawops.DenseCountSparseOutput: python import tensorflow as tf values = tf.constant, shape=0, 0, dtype=tf.int64 weights = tf.constant tf.rawops.DenseCountSparseOutput values=values, weights=weights, minlength=-1,...

5.5CVSS2.5AI score0.00189EPSS
Exploits1References7Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:23 p.m.40 views

OOB read in `MatrixTriangularSolve`

Impact The implementation of MatrixTriangularSolve fails to terminate kernel execution if one validation condition fails: cc void ValidateInputTensorsOpKernelContext ctx, const Tensor& in0, const Tensor& in1 override OPREQUIRES ctx, in0.dims = 2, errors::InvalidArgument"In0 ndims must be = 2: ",...

5.5CVSS3.6AI score0.00217EPSS
Exploits1References7Affected Software3
Github Security Blog
Github Security Blog
added 2021/05/21 2:23 p.m.32 views

Division by 0 in `QuantizedBatchNormWithGlobalNormalization`

Impact An attacker can cause a runtime division by zero error and denial of service in tf.rawops.QuantizedBatchNormWithGlobalNormalization: python import tensorflow as tf t = tf.constant, shape=0, 0, 0, 0, dtype=tf.quint8 tmin = tf.constant-10.0, dtype=tf.float32 tmax = tf.constant-10.0,...

5.5CVSS2.4AI score0.00189EPSS
Exploits1References7Affected Software3
Rows per page
Query Builder