431 matches found
CVE-2022-35994
CVE-2022-35994 is a denial-of-service issue in TensorFlow’s CollectiveGather when given a scalar input. Root cause: a CHECK failure in CollectiveGather. A patch was committed (c1f491817dec39a26be3c574e86a88c30f3c4770) and will be included in TensorFlow 2.10.0; the fix will also be cherry-picked t...
CVE-2022-36002
CVE-2022-36002 affects TensorFlow: Unbatch can trigger a denial of service when given a nonscalar id input, due to a CHECK failure. The issue has been patched in commit 4419d10d576adefa36b0e0a9425d2569f7c0189f and will be included in TensorFlow 2.10.0; affected releases will also receive a cherry...
CVE-2022-36026
TensorFlow vulnerability CVE-2022-36026: A non-scalar num_bits input to QuantizeAndDequantizeV3 triggers a CHECK failure, enabling denial of service. The issue is fixed in commit f3f9cb38ecfe5a8a703f2c4a8fead434ef291713 and the fix will be in TensorFlow 2.10.0; cherry-picks are planned for 2.9.1,...
CVE-2021-29516
TensorFlow CVE-2021-29516 describes a null pointer dereference in tf.raw_ops.RaggedTensorToVariant when provided with an invalid ragged tensor. The issue arises because batched_ragged.splits(0) is dereferenced without validating non-emptiness. Affected: TensorFlow and related entries indicate the...
CVE-2021-29533
TensorFlow DrawBoundingBoxes (CVE-2021-29533) is affected by a CHECK_-driven input validation flaw that can crash the program when an empty image is passed. The root cause is input validation using CHECK_ instead of OP_REQUIRES, causing a negative max_box_row_clamp and a crash. The fix is include...
CVE-2021-29537
CVE-2021-29537 affects TensorFlow: a heap buffer overflow in QuantizedResizeBilinear triggered by invalid quantization thresholds. Root cause is assuming two scalar inputs are valid and directly indexing their values; if min/max tensors are empty, accessing element 0 overflows. Public details con...
CVE-2021-29550
TensorFlow CVE-2021-29550 concerns a runtime division-by-zero in tf.raw_ops.FractionalAvgPool within the FractionalAvgPool implementation. The root cause is that the operator computes output_size by floor-dividing input_size[i] by pooling_ratio[i], where both values are user-controlled; if input_...
CVE-2021-29586
CVE-2021-29586 affects TensorFlow (TFLite pooling) where optimized pooling implementations fail to validate stride values, allowing params->stride_height/width to be zero and cause a division by zero in ComputePaddingHeightWidth. Practically, this is a vulnerability in the pooling path of Tens...
CVE-2021-29591
TensorFlow/TfLite vulnerability CVE-2021-29591 stems from loops in TFlite subgraphs (example: While) allowing potential infinite recursion and stack exhaustion during evaluation. Affected: TensorFlow/TfLite; root cause: unchecked looping between body and loop subgraphs. Impact described as stack ...
CVE-2021-29604
TensorFlow/TFLite hashtable lookup (HashtableLookup) is affected by a division-by-zero in hashtable_lookup.cc when the first dimension of values is 0. Root cause: num_rows derived from the 0th dimension leads to invalid division. Affected: TensorFlow/TFLite hashtable lookup; fix slated for Tensor...
CVE-2021-29615
CVE-2021-29615 affects TensorFlow and involves a stack overflow in the ParseAttrValue implementation caused by recursive parsing of nested attributes. Connected sources (OSV/GHSA/CNVD/NVD entries) consistently describe this as a vulnerability in TensorFlow’s attribute parsing path, with the fix s...
CVE-2021-41199
CVE-2021-41199 refers to an overflow crash in TensorFlow’s tf.image.resize when the output size is very large. Affected TF versions up to 2.7.0 (and cherry-picks for 2.6.1, 2.5.2, 2.4.4) abort the process via a CHECK failure due to int64 overflow while computing the output tensor size. Connected ...
CVE-2022-23568
CVE-2022-23568 describes an integer overflow in TensorFlow’s AddManySparseToTensorsMap, causing a CHECK-fail when constructingTensorShape objects. The issue arises from insufficient validation of input tensor shapes and constructing large TensorShape with user-provided dimensions, enabling a deni...
CVE-2022-23580
Summary: CVE-2022-23580 affects TensorFlow; during shape inference, TensorFlow may allocate a very large vector based on a user-controlled tensor value. This can lead to resource exhaustion. The issue has a fix in TensorFlow 2.8.0, with cherry-picks to 2.7.1, 2.6.3, and 2.5.3 for affected support...
CVE-2022-23589
CVE-2022-23589 affects the Grappler component of TensorFlow. The vulnerability is a null pointer dereference that can occur during constant folding when SavedModel nodes are missing, and similarly in IsIdentityConsumingSwitch. The fix is in TensorFlow 2.8.0, with cherry-picks to 2.7.1, 2.6.3, and...
CVE-2022-23593
TensorFlow CVE-2022-23593 affects the MLIR-TFRT simplifyBroadcast path. When shapes are scalar, maxRank becomes 0 and an empty SmallVector is built, leading to a segfault (denial of service). The fix is planned for TensorFlow 2.8.0; upgrading to that version (or newer) is the remediation if appli...
CVE-2022-35934
CVE-2022-35934 : TensorFlow’s tf.reshape op is vulnerable to a denial of service caused by a CHECK-failure when overflowing the number of tensor elements. The issue is patched in commit 61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555; the fix is planned for TensorFlow 2.10.0 and will be cherry-picked to...
CVE-2022-35984
TensorFlow CVE-2022-35984 affects ParameterizedTruncatedNormal where shape is assumed to be int32; providing an int64 shape triggers a mismatched type CHECK failure that can cause a denial of service. The issue has been patched in commit 72180be03447a10810edca700cbc9af690dfeb51 and the fix is sla...
CVE-2022-35992
TensorFlow’s CVE-2022-35992 affects TensorListFromTensor when element_shape has rank > 1, triggering a CHECK failure that can lead to denial of service. The issue is addressed by GitHub commit 3db59a042a38f4338aa207922fa2f476e000a6ee and will be fixed in TensorFlow 2.10.0; Red Hat and IBM advi...
CVE-2022-41887
TensorFlow CVE-2022-41887 describes a buffer/size-mismatch overflow in tf.keras.losses.poisson when y_pred/y_true dimensions overflow an int32 during broadcasting in BinaryOp. A patch is committed (c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c) and will be included in TensorFlow 2.11; TensorFlow 2.10....
CVE-2022-41899
CVE-2022-41899 — TensorFlow SdcaOptimizer rank check issue . The vulnerability occurs when inputs are not rank-2 and triggers a CHECK failure in SdcaOptimizer, potentially impacting availability. The root cause is a rank validation check in the optimizer. Patch available in GitHub commit 80ff197d...
CVE-2020-15265
TensorFlow before 2.4.0 is affected by CVE-2020-15265: passing an invalid axis to tf.quantization.quantize_and_dequantize can trigger a segfault due to a DCHECK in dim_size, potentially crashing the C++ kernel. The issue is patched in commit eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow...
CVE-2021-29539
TensorFlow CVE-2021-29539 describes a segfault in tf.raw_ops.ImmutableConst when dtype is tf.resource or tf.variant. Root cause: the implementation assumes scalar contents, leading to a crash. A fix was committed (4f663d4b8f0bec1b48da6fa091a7d29609980fa4) and TensorFlow 2.5.0 will include the pat...
CVE-2021-37642
CVE-2021-37642 involves TensorFlow’s tf.raw_ops.ResourceScatterDiv, where an implementation division-by-zero can occur in affected builds. Public details confirm this is rooted in the shared binary-ops class and that a patch was applied in GitHub commit 4aacb30888638da75023e6601149415b39763d76, w...
CVE-2021-37687
CVE-2021-37687 describes a heap-based out-of-bounds read in TensorFlow Lite’s GatherNd and Gather, caused by missing index checks for negative values in indices. An attacker could read arbitrary heap data via crafted models. Patched in GitHub commits bb6a0383ed... and eb92112211..., with the fix ...
CVE-2021-41206
CVE-2021-41206 is described across multiple connected sources as a TensorFlow issue where several TF ops fail to validate the shapes of tensor arguments, potentially causing undefined behavior, crashes (segfaults or CHECK failures), and heap-related reads/writes. The issue affects TensorFlow’s co...
CVE-2021-41214
CVE-2021-41214 affects TensorFlow’s ragged.cross shape inference: binding a reference to nullptr causes undefined behavior. A fix is planned for TensorFlow 2.7.0, with cherry-picks to 2.6.1, 2.5.2, and 2.4.4 (still in supported range). Implication: vulnerable versions may crash or behave unexpect...
CVE-2021-41216
TensorFlow CVE-2021-41216 describes a heap buffer overflow in the shape inference for Transpose when perm contains negative elements. The shape inference function does not validate that perm indices are within range, leading to potential overflow. The fix is stated for TensorFlow 2.7.0, with cher...
CVE-2022-23581
CVE-2022-23581 concerns the Grappler optimizer in TensorFlow. The vulnerability arises when a SavedModel is altered in a way that triggers a CHECK failure in IsSimplifiableReshape, enabling a denial of service. Technical details in the connected documents specify the affected component as the Gra...
CVE-2022-35995
CVE-2022-35995 affects TensorFlow. The issue occurs in the AudioSummaryV2 path when an input sample_rate has more than one element, causing a CHECK failure that can be used to trigger a denial of service. A fix is implemented in GitHub commit bf6b45244992e2ee543c258e519489659c99fb7f and will be i...
CVE-2022-35998
CVE-2022-35998 affects TensorFlow. When EmptyTensorList receives an input element_shape with more than one dimension, a CHECK failure can be triggered, potentially enabling a denial of service. The issue is fixed in commit c8ba76d48567aed347508e0552a257641931024d and will be included in TensorFlo...
CVE-2022-41885
TensorFlow vulnerability CVE-2022-41885 affects tf.raw_ops.FusedResizeAndPadConv2D when handling large tensor shapes, causing a buffer/overflow. A fix was committed (d66e1d568275e6a2947de97dca7a102a211e01ce) and will be included in TensorFlow 2.11. TensorFlow team will cherry-pick this commit to ...
CVE-2022-41907
CVE-2022-41907 affects TensorFlow: when calling tf.raw_ops.ResizeNearestNeighborGrad with a very large size, an integer overflow occurs in the operation. The issue has been fixed in commit 00c821af032ba9e5f5fa3fe14690c8d28a657624 and the fix will be included in TensorFlow 2.11; TensorFlow 2.10.1,...
CVE-2020-15200
CVE-2020-15200 affects TensorFlow before 2.3.1. The RaggedCountSparseOutput path does not validate that the input ragged tensor is well-formed, specifically not validating that the splits form a valid partition of values. This can set up conditions that lead to a heap-based buffer overflow and, i...
CVE-2021-29517
CVE-2021-29517 affects TensorFlow Conv3D: division-by-zero in the Conv3D kernel caused by a modulo on user input (fifth filter dimension), potentially triggering an Eigen assertion and a crash. The issue is addressed by a TensorFlow fix in 2.5.0, with cherry-picks to 2.4.2, 2.3.3, 2.2.3 and 2.1.4...
CVE-2021-29524
TensorFlow (Conv2DBackpropFilter) suffers a division-by-zero vulnerability caused by a modulus operation in conv_grad_shape_utils.cc where the divisor is supplied by the caller. The concrete issue has been tracked as CVE-2021-29524 and is documented across multiple sources (OSV and Ghsa advisorie...
CVE-2021-29528
CVE-2021-29528 is a TensorFlow vulnerability in the QuantizedMul path that can trigger a division by zero. The issue arises because the implementation divides by a quantity controlled by the caller, per the cited code path in quantized_mul_op.cc. Public details confirm affected TensorFlow release...
CVE-2021-29575
CVE-2021-29575 targets TensorFlow’s tf.raw_ops.ReverseSequence. Concrete details from connected docs show the root cause: the operation does not validate seq_dim and batch_dim, allowing negative values to cause stack overflow or CHECK-fail Denial of Service (local). Impact is a local DoS conditio...
CVE-2021-29589
CVE-2021-29589 concerns TensorFlow GatherNd in TFLite. The vulnerability is a division-by-zero error when the params input is an empty tensor, triggered by constructing a model that makes params_shape.Dims(.) zero. This can cause a denial of service. A fix is included in TensorFlow 2.5.0, with ch...
CVE-2021-29613
CVE-2021-29613 covers TensorFlow CTCLoss: the vulnerability is caused by incomplete validation in tf.raw_ops.CTCLoss that can trigger an out-of-bounds read from the heap (and related heap buffer overflow/null-pointer dereference conditions) as described in multiple sources. Affected: TensorFlow r...
CVE-2021-37648
TensorFlow SaveV2 input validation flaw (tf.raw_ops.SaveV2) allows a local attacker to trigger a NULL pointer dereference due to improper input validation in ValidateInputs. The issue was fixed in TensorFlow 2.6.0 (commit 9728c60e...); backports were planned for 2.5.1, 2.4.3, and 2.3.4. Affected ...
CVE-2022-36003
TensorFlow CVE-2022-36003 affects RandomPoissonV2: large input shapes/rates trigger a CHECK failure leading to DoS. A patch was committed (552bfced6ce4…) and the fix will be in TensorFlow 2.10.0, with cherry-picks to 2.9.1, 2.8.1, and 2.7.2. Remediation: upgrade to TensorFlow 2.10.0 or apply the ...
CVE-2022-36011
CVE-2022-36011 affects TensorFlow: a null dereference when mlir::tfg::ConvertGenericFunctionToFunctionDef is given empty function attributes. Root cause: empty attributes lead to a null dereference in MLIR/TFG import. Remediation per sources: fix landed in TensorFlow 2.10.0 and will be cherry-pic...
CVE-2022-36014
TensorFlow vulnerability CVE-2022-36014: a null dereference in mlir::tfg::TFOp::nameAttr when provided a null type list, causing a crash (denial of service potential). Fixed in GitHub commits 3a754740d5414e362512ee981eefba41561a63a6 and a0f0b9a21c9270930457095092f558fbad4c03e5. The patch will be ...
CVE-2022-41908
TensorFlow CVE-2022-41908: CHECK fail in tf.raw_ops.PyFunc triggered by non-UTF-8 input tokens. Patch committed (9f03a9d3bafe902c1e6beb105b2f24172f238645); fix slated for TensorFlow 2.11 with cherry-picks to 2.10.1, 2.9.3, and 2.8.4. No exploit details provided in the documents.
CVE-2021-29521
TensorFlow CVE-2021-29521: A bug in tf.raw_ops.SparseCountSparseOutput triggers a segmentation fault when dense_shape contains negative values. Root cause is the implementation assuming the first element of dense_shape is positive to initialize BatchedMap; with multi-element shapes, num_batches d...
CVE-2021-29532
Summary: CVE-2021-29532 affects TensorFlow and describes a heap out-of-bounds read in RaggedCross when processing tensors, due to missing validation of user-supplied indices in ragged/dense/sparse paths. The vulnerability arises from code that uses list indices (e.g., next_ragged/next_sparse/next...
CVE-2021-29548
TensorFlow vulnerability CVE-2021-29548 concerns the QuantizedBatchNormWithGlobalNormalization path. The issue is a runtime division-by-zero that can cause a denial of service due to insufficient validation of the op contract in the quantized batch-norm kernel. A fix is planned and will be includ...
CVE-2021-29557
CVE-2021-29557 : TensorFlow’s DoS is caused by a division-by-zero in tf.raw_ops.SparseMatMul when the second operand (b) is an empty tensor, triggering a runtime error deep in Eigen. Public sources in connected documents confirm this vulnerability in TensorFlow’s SparseMatMul, with remediation de...
CVE-2021-29558
TensorFlow SparseSplit heap overflow (CVE-2021-29558) : Multiple security records (OSV, GHSA, CNVD, NVD) describe a heap-based overflow in tf.raw_ops.SparseSplit caused by accessing an array element using a user-controlled offset in SparseTensor.h. The vulnerability can lead to denial of service ...