CVE-2021-41213 — Improper Locking in Tensorflow

CWE-667 — Improper Locking CWE-662 — Improper Synchronization6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 86.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tensorflow Google Tensorflow Intel Optimization FOR Tensorflow

Timeline

PublishedNov 5

Latest updateNov 10

Description

TensorFlow is an open source platform for machine learning. In affected versions the code behind `tf.function` API can be made to deadlock when two `tf.function` decorated Python functions are mutually recursive. This occurs due to using a non-reentrant `Lock` Python object. Loading any model which contains mutually recursive functions is vulnerable. An attacker can cause denial of service by causing users to load such models and calling a recursive `tf.function`, although this is not a frequent…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgoogle/tensorflow2.4.0 — 2.4.4+3

▶CVEListV5tensorflow/tensorflow< 2.4.4+2

▶PyPIintel/optimization_for_tensorflow2.5.0 — 2.5.2+4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Deadlock in mutually recursive `tf.function` objects↗2021-11-10

▶

GHSA

Deadlock in mutually recursive `tf.function` objects↗2021-11-10

▶

OSV

CVE-2021-41213: TensorFlow is an open source platform for machine learning↗2021-11-05

▶

CVEList

Deadlock in mutually recursive `tf.function` objects↗2021-11-05

▶

📋Vendor Advisories

Debian

CVE-2021-41213: tensorflow - TensorFlow is an open source platform for machine learning. In affected versions...↗2021

▶