CVE-2021-41208 — NULL Pointer Dereference in Tensorflow

CWE-476 — NULL Pointer Dereference CWE-824 — Access of Uninitialized Pointer7 documents5 sources

Severity

7.8HIGHNVD

CNA8.8GHSA8.8

EPSS

0.0%

top 98.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedNov 5

Latest updateFeb 9

Description

TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service (via dereferencing `nullptr`s or via `CHECK`-failures) as well as abuse undefined behavior (binding references to `nullptr`s). An attacker can also read and write from heap buffers, depending on the API that gets used and the arguments that are passed to the call. Given that the boosted trees im…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDgoogle/tensorflow2.4.0 — 2.4.4+3

▶CVEListV5tensorflow/tensorflow< 2.4.4+2

▶PyPIintel/optimization_for_tensorflow2.6.0 — 2.6.1+4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

NULL Pointer Dereference and Access of Uninitialized Pointer in TensorFlow↗2022-02-09

▶

GHSA

Incomplete validation in boosted trees code↗2021-11-10

▶

OSV

Incomplete validation in boosted trees code↗2021-11-10

▶

CVEList

Incomplete validation in boosted trees code↗2021-11-05

▶

OSV

CVE-2021-41208: TensorFlow is an open source platform for machine learning↗2021-11-05

▶

📋Vendor Advisories

Debian

CVE-2021-41208: tensorflow - TensorFlow is an open source platform for machine learning. In affected versions...↗2021

▶