CVE-2021-29515 — NULL Pointer Dereference in Tensorflow

CWE-476 — NULL Pointer Dereference7 documents6 sources

Severity

7.8HIGHNVD

CNA2.5

EPSS

0.0%

top 95.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 14

Latest updateJun 30

Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `MatrixDiag*` operations(https://github.com/tensorflow/tensorflow/blob/4c4f420e68f1cfaf8f4b6e8e3eb857e9e4c3ff33/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L195-L197) does not validate that the tensor arguments are non-empty. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are als…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDgoogle/tensorflow2.2.0 — 2.2.3+3

▶CVEListV5tensorflow/tensorflow< 2.1.4+3

▶PyPIintel/optimization_for_tensorflow2.2.0 — 2.2.3+4

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Reference binding to null pointer in `MatrixDiag*` ops↗2021-05-21

▶

OSV

Reference binding to null pointer in `MatrixDiag*` ops↗2021-05-21

▶

CVEList

Reference binding to null pointer in `MatrixDiag*` ops↗2021-05-14

▶

OSV

CVE-2021-29515: TensorFlow is an end-to-end open source platform for machine learning↗2021-05-14

▶

📋Vendor Advisories

Debian

CVE-2021-29515: tensorflow - TensorFlow is an end-to-end open source platform for machine learning. The imple...↗2021

▶

📄Research Papers

arXiv

Threat Assessment in Machine Learning based Systems↗2022-06-30

▶