CVE-2021-29539 — Incorrect Conversion between Numeric Types in Tensorflow

CWE-681 — Incorrect Conversion between Numeric Types CWE-125 — Out-of-bounds Read7 documents6 sources

Severity

5.5MEDIUMNVD

CNA2.5

EPSS

0.0%

top 97.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 14

Latest updateFeb 28

Description

TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.ImmutableConst`(https://www.tensorflow.org/api_docs/python/tf/raw_ops/ImmutableConst) with a `dtype` of `tf.resource` or `tf.variant` results in a segfault in the implementation as code assumes that the tensor contents are pure scalars. We have patched the issue in 4f663d4b8f0bec1b48da6fa091a7d29609980fa4 and will release TensorFlow 2.5.0 containing the patch. TensorFlow nightly packages after this commit …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.2.0 — 2.2.3+3

▶CVEListV5tensorflow/tensorflow< 2.1.4+3

▶PyPIintel/optimization_for_tensorflow2.2.0 — 2.3.0rc0+8

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Segfault in tf.raw_ops.ImmutableConst↗2021-05-21

▶

GHSA

Segfault in tf.raw_ops.ImmutableConst↗2021-05-21

▶

OSV

CVE-2021-29539: TensorFlow is an end-to-end open source platform for machine learning↗2021-05-14

▶

CVEList

Segfault in tf.raw_ops.ImmutableConst↗2021-05-14

▶

📋Vendor Advisories

Red Hat

kernel: netfilter: nftables: avoid overflows in nft_hash_buckets()↗2024-02-28

▶

Debian

CVE-2021-29539: tensorflow - TensorFlow is an end-to-end open source platform for machine learning. Calling `...↗2021

▶