CVE-2021-41195Integer Overflow or Wraparound in Tensorflow

CWE-190Integer Overflow or Wraparound6 documents5 sources
Severity
5.5MEDIUMNVD
CNA2.5
EPSS
0.0%
top 88.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowGoogle TensorflowIntel Optimization FOR Tensorflow
Timeline
PublishedNov 5
Latest updateNov 10

Description

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `tf.math.segment_*` operations results in a `CHECK`-fail related abort (and denial of service) if a segment id in `segment_ids` is large. This is similar to CVE-2021-29584 (and similar other reported vulnerabilities in TensorFlow, localized to specific APIs): the implementation (both on CPU and GPU) computes the output shape using `AddDim`. However, if the number of elements in the tensor overf

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

NVDgoogle/tensorflow2.5.02.5.2+2
CVEListV5tensorflow/tensorflow< 2.4.4+2
PyPIintel/optimization_for_tensorflow2.5.02.5.2+3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Crash in `tf.math.segment_*` operations2021-11-10
OSV
Crash in `tf.math.segment_*` operations2021-11-10
OSV
CVE-2021-41195: TensorFlow is an open source platform for machine learning2021-11-05
CVEList
Crash in `tf.math.segment_*` operations2021-11-05

📋Vendor Advisories

1
Debian
CVE-2021-41195: tensorflow - TensorFlow is an open source platform for machine learning. In affected versions...2021
CVE-2021-41195 — Integer Overflow or Wraparound | cvebase