CVE-2020-26270
published 2020-12-10CVE-2020-26270: In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using…
low3.3CVSS 3.1
AVLACLPRLUINSUCNINAL
In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tensorflow | — | — |
| tensorflow | < 1.15.5 | 1.15.5 | |
| tensorflow | >= 2.0.0 < 2.0.4 | 2.0.4 | |
| tensorflow | >= 2.1.0 < 2.1.3 | 2.1.3 | |
| tensorflow | >= 2.2.0 < 2.2.2 | 2.2.2 | |
| tensorflow | >= 2.3.0 < 2.3.2 | 2.3.2 | |
| intel | optimization_for_tensorflow | >= 0 < 14755416e364f17fb1870882fa778c7fec7f16e3 | 14755416e364f17fb1870882fa778c7fec7f16e3 |
| intel | optimization_for_tensorflow | >= 0 < 1.15.5 | 1.15.5 |
| intel | optimization_for_tensorflow | >= 2.0.0 < 2.0.4 | 2.0.4 |
| intel | optimization_for_tensorflow | >= 2.1.0 < 2.1.3 | 2.1.3 |
| intel | optimization_for_tensorflow | >= 2.2.0 < 2.2.2 | 2.2.2 |
| intel | optimization_for_tensorflow | >= 2.3.0 < 2.3.2 | 2.3.2 |
| tensorflow | tensorflow | < 1.15.5 | 1.15.5 |
| tensorflow | tensorflow | — | — |
| tensorflow | tensorflow | — | — |
| tensorflow | tensorflow | — | — |
| tensorflow | tensorflow | — | — |
OSV
CVE-2020-26270: In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure wh
osv·2020-12-10
CVE-2020-26270 CVE-2020-26270: In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure wh
In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
GHSA
CHECK-fail in LSTM with zero-length input in TensorFlow
ghsa·2020-12-10
CVE-2020-26270 [MEDIUM] CWE-20 CHECK-fail in LSTM with zero-length input in TensorFlow
CHECK-fail in LSTM with zero-length input in TensorFlow
### Impact
Running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a `CHECK` failure when using the CUDA backend.
This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.
### Patches
We have patched the issue in GitHub commit [14755416e364f17fb1870882fa778c7fec7f16e3](https://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fec7f16e3) and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases between 1.15 and 2.3 inclusive.
### For more information
Pl
OSV
CHECK-fail in LSTM with zero-length input in TensorFlow
osv·2020-12-10
CVE-2020-26270 [MEDIUM] CHECK-fail in LSTM with zero-length input in TensorFlow
CHECK-fail in LSTM with zero-length input in TensorFlow
### Impact
Running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a `CHECK` failure when using the CUDA backend.
This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.
### Patches
We have patched the issue in GitHub commit [14755416e364f17fb1870882fa778c7fec7f16e3](https://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fec7f16e3) and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases between 1.15 and 2.3 inclusive.
### For more information
Pl
Debian
CVE-2020-26270: tensorflow - In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU ...
vendor_debian·2020·CVSS 4.4
CVE-2020-26270 [MEDIUM] CVE-2020-26270: tensorflow - In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU ...
In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
Scope: local
forky: resolved
sid: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fec7f16e3https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m648-33qf-v3gphttps://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fec7f16e3https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m648-33qf-v3gp
2020-12-10
Published