Out-of-bounds

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of sparse reduction operations in TensorFlow can trigger accesses outside of bounds of heap allocated data. The implementation fails to validate that each reduction group does not overfl...

CVE-2021-37646 Bad alloc in `StringNGrams` caused by integer conversion in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.rawops.StringNGrams is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The...

CVE-2021-37645 Integer overflow due to conversion to unsigned in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.rawops.QuantizeAndDequantizeV4Grad is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on thi...

CVE-2021-37645

TensorFlow CVE-2021-37645 affects affected TF versions prior to 2.6.0 and is caused by an integer overflow in tf.raw_ops.QuantizeAndDequantizeV4Grad when converting a signed axis to unsigned for the absl::InlinedVector constructor, leading to memory allocation based on a large value. A GitHub com...

CVE-2021-37651 Heap buffer overflow in `FractionalAvgPoolGrad` in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation for tf.rawops.FractionalAvgPoolGrad can be tricked into accessing data outside of bounds of heap allocated buffers. The implementation does not validate that the input tensor is non-empt...

CVE-2021-37650

CVE-2021-37650 affects TensorFlow where the implementations tf.raw_ops.ExperimentalDatasetToTFRecord and tf.raw_ops.DatasetToTFRecord can trigger a heap-based buffer overflow and segmentation fault because records are assumed to be strings but may be numeric. The GNOTO advisory in the Connected d...

CVE-2021-37650 Segfault and heap buffer overflow in `{Experimental,}DatasetToTFRecord` in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation for tf.rawops.ExperimentalDatasetToTFRecord and tf.rawops.DatasetToTFRecord can trigger heap buffer overflow and segmentation fault. The implementation assumes that all records in the...

CVE-2021-37662 Reference binding to nullptr in boosted trees in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can generate undefined behavior via a reference binding to nullptr in BoostedTreesCalculateBestGainsPerFeature and similar attack can occur in BoostedTreesCalculateBestFeatureSplitV2. The...

CVE-2021-37656 Reference binding to nullptr in `RaggedTensorToSparse` in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in tf.rawops.RaggedTensorToSparse. The implementation has an incomplete validation of the splits values: it does not check...

CVE-2021-37657 Reference binding to nullptr in `MatrixDiagV*` ops in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type tf.rawops.MatrixDiagV. The implementation has incomplete validation that the value of k is a valid...

CVE-2021-37658 Reference binding to nullptr in `MatrixSetDiagV*` ops in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type tf.rawops.MatrixSetDiagV. The implementation has incomplete validation that the value of k is a...

CVE-2021-37644 `std::abort` raised from `TensorListReserve` in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions providing a negative element to numelements list argument of tf.rawops.TensorListReserve causes the runtime to abort the process due to reallocating a std::vector to have a negative number of elements. The...

CVE-2021-37654 Heap OOB and CHECK fail in `ResourceGather` in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a crash via a CHECK-fail in debug builds of TensorFlow using tf.rawops.ResourceGather or a read from outside the bounds of heap allocated data in the same API in a release build. Th...

CVE-2021-37641 Heap OOB in `RaggedGather` in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions if the arguments to tf.rawops.RaggedGather don't determine a valid ragged tensor code can trigger a read from outside of bounds of heap allocated buffers. The implementation directly reads the first...

CVE-2021-37635

CVE-2021-37635 affects TensorFlow: heap out-of-bounds access in sparse reduction operations due to missing validation of reduction groups/indices. Patch committed (87158f43f05f2720a374f3e6d22a7aaa3a33f750) and fixes planned for TensorFlow 2.6.0, with cherry-picks for 2.5.1, 2.4.3, and 2.3.4. Publ...

CVE-2021-37655 Heap OOB in `ResourceScatterUpdate` in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a read from outside of bounds of heap allocated data by sending invalid arguments to tf.rawops.ResourceScatterUpdate. The implementation has an incomplete validation of the...

CVE-2021-37649

TensorFlow is an end-to-end open source platform for machine learning. The code for tf.rawops.UncompressElement can be made to trigger a null pointer dereference. The implementation obtains a pointer to a CompressedElement from a Variant tensor and then proceeds to dereference it for decompressin...

CVE-2021-37638

TensorFlow is an end-to-end open source platform for machine learning. Sending invalid argument for rowpartitiontypes of tf.rawops.RaggedTensorToTensor API results in a null pointer dereference and undefined behavior. The implementation accesses the first element of a user supplied list of values...

CVE-2021-37637

TensorFlow is an end-to-end open source platform for machine learning. It is possible to trigger a null pointer dereference in TensorFlow by passing an invalid input to tf.rawops.CompressElement. The implementation was accessing the size of a buffer obtained from the return of a separate function...

CVE-2021-37647

TensorFlow is an end-to-end open source platform for machine learning. When a user does not supply arguments that determine a valid sparse tensor, tf.rawops.SparseTensorSliceDataset implementation can be made to dereference a null pointer. The implementation has some argument validation but fails...