CVE-2021-29591 — Infinite Loop in Tensorflow

CWE-835 — Infinite Loop CWE-674 — Uncontrolled Recursion6 documents5 sources

Severity

7.8HIGHNVD

CNA7.3

EPSS

0.1%

top 82.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedMay 14

Latest updateMay 21

Description

TensorFlow is an end-to-end open source platform for machine learning. TFlite graphs must not have loops between nodes. However, this condition was not checked and an attacker could craft models that would result in infinite loop during evaluation. In certain cases, the infinite loop would be replaced by stack overflow due to too many recursive calls. For example, the `While` implementation(https://github.com/tensorflow/tensorflow/blob/106d8f4fb89335a2c52d7c895b7a7485465ca8d9/tensorflow/lite/ker…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDgoogle/tensorflow2.2.0 — 2.2.3+3

▶CVEListV5tensorflow/tensorflow< 2.1.4+3

▶PyPIintel/optimization_for_tensorflow2.2.0 — 2.2.3+5

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Stack overflow due to looping TFLite subgraph↗2021-05-21

▶

GHSA

Stack overflow due to looping TFLite subgraph↗2021-05-21

▶

OSV

CVE-2021-29591: TensorFlow is an end-to-end open source platform for machine learning↗2021-05-14

▶

CVEList

Stack overflow due to looping TFLite subgraph↗2021-05-14

▶

📋Vendor Advisories

Debian

CVE-2021-29591: tensorflow - TensorFlow is an end-to-end open source platform for machine learning. TFlite gr...↗2021

▶