CVE-2021-41220Use After Free in Google Tensorflow

CWE-416Use After Free6 documents5 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 94.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Google TensorflowIntel Optimization FOR TensorflowTensorflow
Timeline
PublishedNov 5
Latest updateNov 10

Description

TensorFlow is an open source platform for machine learning. In affected versions the async implementation of `CollectiveReduceV2` suffers from a memory leak and a use after free. This occurs due to the asynchronous computation and the fact that objects that have been `std::move()`d from are still accessed. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, as this version is the only one that is also affected.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

NVDgoogle/tensorflow2.6.02.6.1+1
PyPIintel/optimization_for_tensorflow2.6.02.6.1+2
CVEListV5tensorflow/tensorflow>= 2.6.0, < 2.6.1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Use after free / memory leak in `CollectiveReduceV2`2021-11-10
GHSA
Use after free / memory leak in `CollectiveReduceV2`2021-11-10
CVEList
Use after free in `CollectiveReduceV2`2021-11-05
OSV
CVE-2021-41220: TensorFlow is an open source platform for machine learning2021-11-05

📋Vendor Advisories

1
Debian
CVE-2021-41220: tensorflow - TensorFlow is an open source platform for machine learning. In affected versions...2021
CVE-2021-41220 — Use After Free in Google Tensorflow | cvebase