14324 matches found
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS when running with XLA, tf.rawops.ParallelConcat segfaults with a nullptr dereference when given a parameter shape with rank that is not greater than zero. PoC import tensorflow as tf func = tf.rawops.ParallelConcat...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference due to a null pointer error in RandomShuffle with XLA enabled. PoC import tensorflow as tf func = tf.rawops.RandomShuffle para = 'value': 1e+20, 'seed': -4294967297, 'seed2': -2147483649...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS due to a floating point exception in TensorListSplit with XLA. PoC import tensorflow as tf func = tf.rawops.TensorListSplit para = 'tensor': 1, 'elementshape': -1, 'lengths': 0 @tf.functionjitcompile=True def...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference. The function tf.rawops.LookupTableImportV2 cannot handle scalars in the values parameter and gives a null pointer exception. PoC import tensorflow as tf v = tf.Variable1 @tf.functionjitcompile=True def test: fu...
Incorrect Comparison
Overview Affected versions of this package are vulnerable to Incorrect Comparison. Constructing a tflite model with a paramater filterinputchannel of less than 1 gives a float pointer exception. Remediation Upgrade tensorflow-lite to version 2.12.0 or higher. References - GitHub Commit Credit: Wa...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS. When running with XLA, tf.rawops.Bincount segfaults when given a parameter weights that is neither the same shape as parameter arr nor a length-0 tensor. PoC import tensorflow as tf func = tf.rawops.Bincount...
Buffer Overflow
Overview Affected versions of this package are vulnerable to Buffer Overflow in TAvgPoolGrad. PoC import os os.environ'TFENABLEONEDNNOPTS' = '0' import tensorflow as tf printtf.version with tf.device"CPU": ksize = 1, 40, 128, 1 strides = 1, 128, 128, 30 padding = "SAME" dataformat = "NHWC"...
Heap-based Buffer Overflow
Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow. Attackers can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on...
Integer Overflow to Buffer Overflow
Overview Affected versions of this package are vulnerable to Integer Overflow to Buffer Overflow when 2^31 = numframes height width channels 2^32, for example Full HD screencast of at least 346 frames. PoC import urllib.request dat =...
Integer Overflow or Wraparound
Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in EditDistance. A fix is included in TensorFlow version 2.12.0 and version 2.11.1. PoC import tensorflow as tf para= 'hypothesisindices': , 'hypothesisvalues': 'tmp/', 'hypothesisshape': , 'truthindices':...
Out-of-Bounds
Overview Affected versions of this package are vulnerable to Out-of-Bounds due to mismatched integer type sizes in ValueMap::Manager::GetValueOrCreatePlaceholder, because there is a bug with the tfg-translate call to InitMlir. Remediation Upgrade tensorflow-lite to version 2.12.0 or higher...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS due to a floating point exception if the stride and window size are not positive for tf.rawops.AvgPoolGrad. PoC import tensorflow as tf import numpy as np @tf.functionjitcompile=True def test: y =...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference. When ctx-stepcontainter is a null ptr, the Lookup function will be executed with a null pointer. PoC import tensorflow as tf tf.rawops.TensorArrayConcatV2handle='a', 'b', flowin = 0.1, dtype=tf.int32,...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS. When the parameter summarize of tf.rawops.Print is zero, the new method SummarizeArray will reference to a nullptr, leading to a seg fault. PoC import tensorflow as tf tf.rawops.Printinput = tf.constant1, 1, 1,...
Double Free
Overview Affected versions of this package are vulnerable to Double Free. The nnops.fractionalavgpoolv2 and nnops.fractionalmaxpoolv2 functions require the first and fourth elements of their parameter poolingratio to be equal to 1.0, as pooling on batch and channel dimensions is not supported. Po...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in QuantizedMatMulWithBiasAndDequantize with MKL enabled. PoC import tensorflow as tf func = tf.rawops.QuantizedMatMulWithBiasAndDequantize para='a': tf.constant138, dtype=tf.quint8, 'b': tf.constant4,...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS due to a floating point exception in AudioSpectrogram. PoC import tensorflow as tf para = 'input': tf.constant14., 24., dtype=tf.float32, 'windowsize': 1, 'stride': 0, 'magnitudesquared': False func =...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read if the parameter indices for DynamicStitch does not match the shape of the parameter data. PoC import tensorflow as tf func = tf.rawops.DynamicStitch para='indices': 0xdeadbeef, 405, 519, 758, 1015, 'data':...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in GRUBlockCellGrad. PoC func = tf.rawops.GRUBlockCellGrad para = 'x': 21.1, 156.2, 83.3, 115.4, 'hprev': array136.5, 136.6, 'wru': array26.7, 0.8, 47.9, 26.1, 26.2, 26.3, 'wc': array 0.4, 31.5, 0.6, 'bru': array0.1,...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference when SparseSparseMaximum is given invalid sparse tensors as inputs. PoC import tensorflow as tf tf.rawops.SparseSparseMaximum aindices=1, avalues = 0.1 , ashape = 2, bindices=, bvalues =2 , bshape = 2, Remediati...