CVE-2021-41223Out-of-bounds Read in Tensorflow

CWE-125Out-of-bounds Read6 documents5 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 95.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowGoogle TensorflowIntel Optimization FOR Tensorflow
Timeline
PublishedNov 5
Latest updateNov 10

Description

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `FusedBatchNorm` kernels is vulnerable to a heap OOB access. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages3 packages

NVDgoogle/tensorflow2.5.02.5.2+2
CVEListV5tensorflow/tensorflow< 2.4.4+2
PyPIintel/optimization_for_tensorflow2.6.02.6.1+4

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Heap OOB in `FusedBatchNorm` kernels2021-11-10
GHSA
Heap OOB in `FusedBatchNorm` kernels2021-11-10
CVEList
Heap OOB read in `FusedBatchNorm` kernels2021-11-05
OSV
CVE-2021-41223: TensorFlow is an open source platform for machine learning2021-11-05

📋Vendor Advisories

1
Debian
CVE-2021-41223: tensorflow - TensorFlow is an open source platform for machine learning. In affected versions...2021
CVE-2021-41223 — Out-of-bounds Read in Tensorflow | cvebase