All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
TensorFlow (an open-source machine learning framework) has a vulnerability in its `OpLevelCostEstimator::CalculateOutputSize` function where an integer overflow (when a calculation produces a number too large for the system to handle) can occur if an attacker creates an operation with tensors (multi-dimensional arrays of numbers) containing enough elements. The vulnerability can be triggered either by using many dimensions or by making individual dimensions large enough to cause the overflow.
Fix: The fix will be included in TensorFlow 2.8.0. The fix will also be applied to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseTensorFlow, an open-source machine learning framework, has a vulnerability in its `OpLevelCostEstimator::CalculateTensorSize` function that can be exploited through integer overflow (a type of bug where numbers become too large for the program to handle correctly). An attacker could trigger this by creating an operation with a tensor (a multi-dimensional array of data) containing an extremely large number of elements.
TensorFlow, an open-source machine learning framework, has a typo in its `SpecializeType` code that causes a heap OOB (out-of-bounds, where the program tries to read or write memory outside the area it's allowed to access) read/write vulnerability. Due to the typo, a variable called `arg` uses the wrong loop index, which allows code to read and modify data outside the intended memory bounds.
TensorFlow's `AssignOp` (a copy operation in machine learning code) has a bug where it can copy uninitialized data (memory with random or leftover values) to a new tensor, causing unpredictable behavior. The code only checks that the destination is ready, but not the source, leaving room for uninitialized data to be used.
TensorFlow (an open source machine learning framework) has a bug where it sometimes fails to determine data types correctly during shape inference (the process of figuring out what dimensions data will have). The bug is hidden in production builds because assertion checks are disabled, causing the program to crash when it tries to use an error result as if it were valid data.
TensorFlow (an open source machine learning framework) has a vulnerability where attackers can crash TensorFlow processes by sending specially crafted data with invalid tensor types or shapes during decoding from protobuf (a data format used to serialize structured data). This is a denial of service attack, meaning the attacker can make the system stop working rather than gain unauthorized access.
TensorFlow, an open-source machine learning framework, has a bug where it can crash or behave unpredictably when decoding certain data structures (protobuf, a format for storing structured data) if some required information is missing. The problem occurs because the code only checks for this issue in debug builds (test versions), not in production builds (versions used in real applications), so real users may experience crashes or undefined behavior.
TensorFlow, an open-source machine learning framework, has a vulnerability in its Grappler component where the `set_output` function can write data to an array at any index specified by an attacker, creating a heap OOB write (out-of-bounds write, where data is written to memory locations it shouldn't access). This gives a malicious user the ability to write arbitrary data to unintended memory locations.
TensorFlow (an open-source machine learning framework) has a vulnerability where an attacker can crash the system by modifying a SavedModel file on disk to contain duplicate operation attributes, triggering an assertion failure (a built-in check that causes the program to stop if a condition is false). This is a denial of service attack (making a system unavailable to legitimate users).
TensorFlow (an open source machine learning framework) has a vulnerability where attackers can crash TensorFlow processes by providing specially crafted input when the system converts protobuf (a data format) into resource handle tensors, because a validation check can be bypassed through user-controlled arguments.
TensorFlow, an open-source machine learning framework, uses an unsafe function called `tempfile.mktemp` to create temporary files in multiple places. This creates a race condition vulnerability (TOC/TOU, a timing gap where another process can interfere between when the system checks if a filename exists and when it actually creates the file), which is especially dangerous in utility and library code rather than just testing code.
TensorFlow (an open-source framework for building machine learning models) has a vulnerability in its Range function where integer overflows (when numbers get too large and wrap around to incorrect values) can cause undefined behavior or extremely large memory allocations. This bug affects multiple versions of the software.
An attacker can create a malicious TFLite model (a compressed machine learning format for mobile devices) that writes data outside the boundaries of an array in TensorFlow, potentially overwriting the memory allocator's linked list (a data structure that tracks available memory) to achieve arbitrary write access to system memory. This vulnerability affects multiple versions of TensorFlow, an open-source framework for building AI systems.
TensorFlow, an open-source machine learning framework, has a vulnerability in TFLite (TensorFlow Lite, a lightweight version for mobile devices) where an attacker can create a specially crafted model that allows limited reads and writes outside of arrays by exploiting missing validation during conversion from sparse tensors (data structures with mostly empty values) to dense tensors (fully populated data structures). This vulnerability affects multiple versions of TensorFlow.
TensorFlow (an open-source machine learning framework) has a vulnerability where an attacker can create a malicious TFLite model (a lightweight version of TensorFlow for mobile devices) that causes an integer overflow (when a number calculation exceeds the maximum value a computer can store) in embedding lookup operations. This overflow can sometimes lead to heap OOB read/write (accessing memory outside the intended boundaries), potentially allowing attackers to read or corrupt data.
An attacker can create a malicious TFLite model (a lightweight version of TensorFlow used on mobile devices) that causes an integer overflow (where a number gets too large to fit in its storage space, wrapping around to a negative or small value) in TensorFlow's `TfLiteIntArrayCreate` function. The vulnerability happens because the code returns an `int` instead of a larger `size_t` datatype, allowing attackers to manipulate model inputs so the calculated size exceeds what an `int` can hold.
TensorFlow, an open-source machine learning framework, has a vulnerability in its TFLite (TensorFlow Lite, a version optimized for mobile devices) model processor where an attacker can create a specially crafted model that causes a division by zero error (attempting to divide a number by zero, which crashes programs) in the `BiasAndClamp` function because the code doesn't check if `bias_size` is zero before using it.
A vulnerability in TensorFlow (an open-source machine learning framework) allows an attacker to create a malicious TFLite model (TensorFlow Lite, a lightweight version of TensorFlow) that causes a division by zero error in depthwise convolutions (a type of neural network operation). The bug occurs because the code divides by a user-controlled parameter without first checking that it is positive.
TensorFlow, an open-source machine learning framework, has a vulnerability in its `SparseCountSparseOutput` function that allows a heap overflow (a type of memory corruption where a program writes data beyond allocated memory boundaries). The vulnerability affects multiple versions of TensorFlow.
TensorFlow (an open source machine learning framework) has a bug in its `QuantizedMaxPool` function where user-controlled inputs can trigger a null pointer dereference (a crash caused by the program trying to access memory that doesn't exist). The vulnerability allows attackers to potentially cause the program to crash or behave unpredictably.
Fix: The fix will be included in TensorFlow 2.8.0. The vulnerability will also be patched in TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, which are still in the supported range.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The commit will also be cherry-picked (applied to older versions) on TensorFlow 2.7.1 and TensorFlow 2.6.3.
NVD/CVE DatabaseFix: Update to TensorFlow 2.8.0. If you cannot upgrade immediately, apply backported fixes available in TensorFlow 2.7.1, TensorFlow 2.6.3, or TensorFlow 2.5.3, which are still supported versions.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The fix will also be applied to TensorFlow 2.7.1 and TensorFlow 2.6.3, which are still in the supported range.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The vulnerability will also be patched in TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. TensorFlow 2.7.1 and TensorFlow 2.6.3 will also receive this fix through a cherrypick (backporting the fix to older supported versions).
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. TensorFlow 2.7.1, 2.6.3, and 2.5.3 will also receive the fix via a cherry-pick (applying specific code changes to older versions), as these versions are still supported and also affected.
NVD/CVE DatabaseFix: Update to TensorFlow 2.8.0 or apply the patch from the commit at https://github.com/tensorflow/tensorflow/commit/c2b31ff2d3151acb230edc3f5b1832d2c713a9e0. The fix will also be included in TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: Update to TensorFlow 2.8.0, or apply cherrypicked fixes available in TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The source states: "We have patched the issue in several commits, replacing `mktemp` with the safer `mkstemp`/`mkdtemp` functions, according to the usage pattern. Users are advised to upgrade as soon as possible."
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The vulnerability will also be patched in TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, which are still supported versions.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The same fix will also be cherry-picked (backported) to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: Upgrade to TensorFlow 2.8.0. For users on earlier supported versions, patches are also available in TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3. Users are advised to upgrade as soon as possible.
NVD/CVE DatabaseFix: Users are advised to upgrade to a patched version. Patches are available at: https://github.com/tensorflow/tensorflow/commit/1de49725a5fc4e48f1a3b902ec3599ee99283043, https://github.com/tensorflow/tensorflow/commit/a4e401da71458d253b05e41f28637b65baf64be4, and https://github.com/tensorflow/tensorflow/commit/f19be71717c497723ba0cea0379e84f061a75e01
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. It will also be backported (applied to older versions still receiving updates) to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The patch will also be applied to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. It will also be cherry-picked (applied as a patch) to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. Patches will also be cherry-picked (applied) to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, which are still in the supported range.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The patch will also be backported to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3. Users should update to one of these versions or later.
NVD/CVE Database