AI Sec Watch

TensorFlow, an open source machine learning platform, has a vulnerability where an attacker can read data outside the intended memory bounds (a heap overflow, which is when a program accesses memory it shouldn't) by sending specially crafted invalid arguments to a function called tf.raw_ops.SdcaOptimizerV2. The vulnerability exists because the code doesn't verify that the length of input labels matches the number of examples being processed.

TensorFlow, an open source machine learning platform, has a vulnerability where attackers can read data outside the intended memory bounds by sending specially crafted arguments to certain functions like `tf.raw_ops.UpperBound` and `tf.raw_ops.LowerBound`. The vulnerability exists because the code doesn't properly validate the rank (the number of dimensions) of the input data it receives. This could allow attackers to access sensitive information stored in memory.

TensorFlow, an open-source machine learning platform, has a vulnerability in its `tf.raw_ops.NonMaxSuppressionV5` function that allows attackers to crash applications by supplying a negative number, which causes a division by zero error due to improper type conversion (converting a signed integer to an unsigned integer).

TensorFlow, an open source platform for machine learning, has a vulnerability (CVE-2021-37668) where attackers can crash applications by exploiting the `tf.raw_ops.UnravelIndex` function through division by zero (a math error where a program tries to divide by 0). The bug occurs because the code doesn't check if the `dims` tensor (a multi-dimensional array) is empty before performing calculations.

TensorFlow, an open source machine learning platform, has a vulnerability in its MKL implementation where incomplete validation of input tensor dimensions allows attackers to trigger undefined behavior (accessing invalid memory locations or reading data outside allocated memory bounds). Two operations, requantization and MklRequantizePerChannelOp, are affected by this flaw.

TensorFlow, a machine learning platform, has a vulnerability in its `tf.raw_ops.QuantizeV2` function where incomplete validation (checking that inputs meet requirements) allows attackers to cause crashes or read data from invalid memory locations. The vulnerability occurs because the code doesn't properly verify that input parameters have matching sizes and are within valid ranges.

TensorFlow, an open-source machine learning platform, has a vulnerability where an attacker can create a malicious model file that crashes the system by triggering a null pointer dereference (accessing memory at an invalid location without checking if it's safe). The problem occurs in the MLIR optimization (a compiler technique that improves code performance) of the L2NormalizeReduceAxis operator, which tries to access data in a vector without first verifying the vector contains any elements.

TensorFlow, an open source machine learning platform, has a vulnerability where an attacker can create a specially crafted TFLite model (a lightweight version of TensorFlow for mobile devices) that causes a null pointer dereference (attempting to access memory that doesn't exist), crashing the system and preventing it from working. The flaw occurs because the code tries to access a pointer without checking if it's valid first.

TensorFlow 2.6.0 has a bug in its strided slice implementation (a feature that extracts portions of arrays), which attackers can exploit to create models that cause infinite loops (the program gets stuck repeating the same instructions endlessly). The bug appears in TFLite (TensorFlow Lite, a lightweight version for mobile devices) when handling ellipsis (a shorthand notation using '...' in array indexing).