CVE-2021-41197 — Integer Overflow or Wraparound in Tensorflow

CWE-190 — Integer Overflow or Wraparound CWE-617 — Reachable Assertion9 documents5 sources

Severity

5.5MEDIUMNVD

CNA2.5

EPSS

0.0%

top 94.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedNov 5

Latest updateMay 25

Description

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow allows tensor to have a large number of dimensions and each dimension can be as large as desired. However, the total number of elements in a tensor must fit within an `int64_t`. If an overflow occurs, `MultiplyWithoutOverflow` would return a negative result. In the majority of TensorFlow codebase this then results in a `CHECK`-failure. Newer constructs exist which return a `Status` instead of crashing the…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.5.0 — 2.5.2+2

▶CVEListV5tensorflow/tensorflow< 2.4.4+2

▶PyPIintel/optimization_for_tensorflow2.5.0 — 2.5.2+6

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

`CHECK` failure in depthwise ops via overflows↗2022-05-25

▶

GHSA

`CHECK`-fails when building invalid tensor shapes in Tensorflow↗2022-02-09

▶

GHSA

Integer Overflow or Wraparound in TensorFlow↗2022-02-09

▶

OSV

Crashes due to overflow and `CHECK`-fail in ops with large tensor shapes↗2021-11-10

▶

GHSA

Crashes due to overflow and `CHECK`-fail in ops with large tensor shapes↗2021-11-10

▶

📋Vendor Advisories

Debian

CVE-2021-41197: tensorflow - TensorFlow is an open source platform for machine learning. In affected versions...↗2021

▶