CVE-2021-41224Out-of-bounds Read in Tensorflow

CWE-125Out-of-bounds Read6 documents5 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 95.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowGoogle TensorflowIntel Optimization FOR Tensorflow
Timeline
PublishedNov 5
Latest updateNov 10

Description

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `SparseFillEmptyRows` can be made to trigger a heap OOB access. This occurs whenever the size of `indices` does not match the size of `values`. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages3 packages

NVDgoogle/tensorflow2.5.02.5.2+2
CVEListV5tensorflow/tensorflow< 2.4.4+2
PyPIintel/optimization_for_tensorflow2.5.02.5.2+4

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
`SparseFillEmptyRows` heap OOB2021-11-10
GHSA
`SparseFillEmptyRows` heap OOB2021-11-10
OSV
CVE-2021-41224: TensorFlow is an open source platform for machine learning2021-11-05
CVEList
`SparseFillEmptyRows` heap OOB read2021-11-05

📋Vendor Advisories

1
Debian
CVE-2021-41224: tensorflow - TensorFlow is an open source platform for machine learning. In affected versions...2021
CVE-2021-41224 — Out-of-bounds Read in Tensorflow | cvebase