19 matches found
CVE-2020-15210
CVE-2020-15210 affects TensorFlow/TFLite where a saved model reuses the same tensor as input and output for an operator, causing a segmentation fault or memory corruption depending on the operator. The issue has a patch in commit d58c96946b2880991d63d1dacacb32f0a4dfa453 and is addressed in patch ...
CVE-2020-15202
CVE-2020-15202 : TensorFlow Shard API truncation bug affects multiple releases (1.15.4, 2.0.3, 2.1.2, 2.2.1, 2.3.1). A lambda taking int/int32 instead of int64 in work-parallelization can cause integer truncation, leading to segfaults, out-of-bounds reads/writes, stack overflows, or data corrupti...
CVE-2020-15209
Observation: CVE-2020-15209 affects TensorFlow Lite. A crafted TFLite flatbuffer can flip a tensor’s buffer index, turning a read-only tensor into read-write, which the runtime may treat as writable and initialize with a null buffer, causing a null pointer dereference. The issue has a concrete ro...
CVE-2020-15211
CVE-2020-15211 : In TensorFlow Lite (before 1.15.4, 2.0.3, 2.1.2, 2.2.1, 2.3.1), a negative -1 tensor index used for optional inputs can be treated as a valid index during validation, allowing out-of-bounds reads/writes in some operators. The root cause is the double indexing scheme for tensors i...
CVE-2020-15194
CVE-2020-15194 (TensorFlow) affects TensorFlow before 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. The SparseFillEmptyRowsGrad implementation has incomplete validation of argument shapes; while reverse_index_map_t is validated, grad_values_t is not, enabling an attacker to pass a bad grad_values_t and ...
CVE-2020-15203
CVE-2020-15203 is a TensorFlow format-string vulnerability in tf.strings.as_string triggered by the fill argument. The issue can cause segmentation faults and is fixed in TensorFlow releases 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1 (commit 33be22c65d86256e6826666662e40dbdfe70ee83). Public reference...
CVE-2020-15207
CVE-2020-15207 affects TensorFlow Lite: negative indexing support uses ResolveAxis and only debug builds validate the converted index, allowing out-of-bounds access that can cause segfaults/data corruption. Affected: TensorFlow Lite before 1.15.4, 2.0.3, 2.1.2, 2.2.1, 2.3.1. Root cause: insuffici...
CVE-2020-15205
CVE-2020-15205 affects TensorFlow: the data_splits parameter of tf.raw_ops.StringNGrams lacks validation, allowing crafted input that can cause heap overflow and memory leakage, potentially leaking memory contents and aiding ASLR defeat. Affected TF versions include 1.15.4 and 2.x releases up to ...
CVE-2020-15204
CVE-2020-15204 affects TensorFlow in eager mode where a missing session_state leads to a null pointer dereference in tf.raw_ops.GetSessionHandle/GetSessionHandleV2, causing a segmentation fault (denial of service). The issue is fixed in commit 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1 and releases...
CVE-2020-15206
CVE-2020-15206 affects TensorFlow: changing SavedModel protocol buffers and required key names can cause segfaults and data corruption while loading models, leading to a denial of service in inference deployments. The vulnerability was addressed with fixes committed in TF, and TensorFlow versions...
CVE-2020-15208
The CVE-2020-15208 issue affects TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1. A debug-only DCHECK used to determine the common tensor dimension returns the first tensor’s size, which can be larger than the second tensor’s, allowing reads/writes outside bounds. This is a...
CVE-2020-15190
TensorFlow CVE-2020-15190 is a vulnerability in tf.raw_ops.Switch where, in eager mode, the runtime binds a reference to a nullptr when one of the two outputs is undefined. This causes undefined behavior and can segfault when compiled with -fsanitize=null. The issue affects TensorFlow versions 1....
CVE-2020-15195
TensorFlow vulnerability CVE-2020-15195: SparseFillEmptyRowsGrad uses a double indexing pattern where reverse_index_map(i) can reference grad_values out of bounds, causing a heap-based buffer overflow. Affected releases include 1.15.4, 2.0.3, 2.1.2, 2.2.1, and 2.3.1. A fix was committed (390611e0...
CVE-2020-26266
CVE-2020-26266 (TensorFlow) arises from use of uninitialized Eigen quantized floating point types during code execution, triggered by saved-model handling. Affected TensorFlow versions include 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0; fixes are in those same branches as indicated. The issue ...
CVE-2020-5215
CVE-2020-5215 affects TensorFlow before 1.15.2 and 2.0.1, where converting a Python string to tf.float16 in eager mode can trigger a segmentation fault. The issue arises because format checks for this use case exist only in graph mode, potentially enabling denial of service during inference/train...
CVE-2020-26268
CVE-2020-26268 affects TensorFlow: tf.raw_ops.ImmutableConst can crash Python when mapping a file to a non-integral tensor type, due to an allocator not returning an opaque handle. The issue may trigger a segmentation fault if the memory area is large enough; a check prevents the fault if the fil...
CVE-2020-26267
CVE-2020-26267 affects TensorFlow where tf.raw_ops.DataFormatVecPermute does not validate src_format and dst_format, allowing uninitialized memory accesses, out-of-bounds reads, or crashes by assuming a NHWC permutation. Affected releases include various TensorFlow branches; fixes are published i...
CVE-2020-26270
CVE-2020-26270 affects TensorFlow: when an LSTM/GRU layer receives a zero-length input, the CUDA backend triggers a CHECK failure leading to a denial-of-service (query-of-death). Public sources consistently describe this as a vulnerability in affected TensorFlow builds, with fixes implemented in ...
CVE-2020-26271
CVE-2020-26271 : TensorFlow contains a heap out-of-bounds access in MakeEdge when wiring graph edges, caused by missing bounds checks on indices into arrays of tensor data. This can lead to uninitialized memory access and, in certain cases, leakage of library addresses. The description notes the ...