All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
TensorFlow (an open source machine learning platform) has a vulnerability in the `ImmutableConst` operation that allows attackers to read arbitrary memory contents. The issue occurs because the operation doesn't properly handle a special type of string called `tstring` that can reference memory-mapped data.
Fix: The fix will be included in TensorFlow 2.7.0. The patch will also be backported (applied to older supported versions) in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseTensorFlow's Grappler optimizer (the part of TensorFlow that improves how machine learning models run) has a bug where a variable called `dequeue_node` is never initialized if a saved model doesn't contain a specific type of operation called a `Dequeue` node. This uninitialized variable could cause the optimizer to behave unpredictably or crash.
TensorFlow, an open source platform for machine learning, has a vulnerability in the `SplitV` function where supplying negative arguments can cause a segfault (a crash from accessing invalid memory). The crash happens when the `size_splits` parameter contains multiple values with at least one being negative.
TensorFlow (an open source machine learning platform) has a vulnerability where shape inference code for certain operations can be tricked into accessing invalid memory through a heap buffer overflow (where a program writes data beyond the allocated memory space). This happens because the code doesn't verify that certain input parameters have the correct structure before using them.
TensorFlow, an open source platform for machine learning, had a memory leak and use-after-free bug (a mistake where the program tries to access data after it has already been deleted) in its `CollectiveReduceV2` function due to improper handling of asynchronous operations. The vulnerability was caused by objects being moved from memory while still being accessed elsewhere in the code.
TensorFlow (an open source platform for machine learning) contains a vulnerability in its shape inference function for the `Transpose` operation where negative values in the `perm` parameter can cause a heap buffer overflow (writing data outside the intended memory boundaries). The issue stems from insufficient validation of the indices in `perm` before they are processed.
TensorFlow, an open source machine learning platform, has a vulnerability in its `tf.function` API (a feature that converts Python functions into optimized operations) where mutually recursive functions (functions that call each other back and forth) can cause a deadlock using a non-reentrant Lock (a mechanism that prevents simultaneous access but doesn't allow the same thread to re-enter it). An attacker could cause a denial of service by tricking users into loading vulnerable models, though this scenario is uncommon.
TensorFlow, an open source machine learning platform, has a bug in its shape inference code for the `AllToAll` function that causes a division by zero error (when a value is divided by 0, causing the program to crash) whenever the `split_count` argument is set to 0. This vulnerability could allow an attacker to crash or disrupt a TensorFlow application.
TensorFlow (an open source platform for machine learning) has a bug where its convolution operators (mathematical functions that process data in neural networks) crash with a division by zero error when given empty filter tensors (arrays of parameters). This vulnerability affects multiple versions of TensorFlow.
TensorFlow's boosted trees code (a machine learning feature for building multiple decision trees together) lacks proper input validation, allowing attackers to crash the system (denial of service, where a service becomes unavailable), read sensitive data from memory, or write malicious data to memory buffers. The TensorFlow developers recommend stopping use of these APIs since the boosted trees code is no longer actively maintained.
TensorFlow, an open source platform for machine learning, has a vulnerability in its `ParallelConcat` function that lacks proper input validation and can cause a division by zero error (a crash caused by dividing a number by zero). The affected versions have known fixes available through updates to TensorFlow 2.7.0 and earlier supported versions.
TensorFlow, a machine learning platform, has a vulnerability (CVE-2021-41206) where certain operations don't properly check the size and dimensions of tensor arguments (the numerical arrays that machine learning models process). This missing validation can cause crashes, memory corruption (reads and writes to unintended memory locations), or other undefined behavior depending on which operation is affected.
TensorFlow, an open source platform for machine learning, has a bug in its `tf.range` function where a conditional statement mixes two different number types (int64, a large integer type, and double, a decimal number type). Due to how C++ automatically converts between these types, the calculation overflows (produces incorrect results that are too large to store). This causes the output size calculation to fail.
TensorFlow, an open source platform for machine learning, has a vulnerability in its `SparseBinCount` function that allows heap OOB access (out-of-bounds memory access, where a program reads data outside the memory it's allowed to use) because it doesn't validate that the `values` argument matches the shape of the sparse output. This bug could let attackers crash the system or potentially read sensitive data from memory.
TensorFlow, an open source machine learning platform, has a vulnerability in the `SparseFillEmptyRows` function that can cause a heap OOB access (out-of-bounds read, where a program tries to read memory it shouldn't access) when the size of `indices` does not match the size of `values`. This is a memory safety bug that could potentially crash the program or expose sensitive data.
TensorFlow, an open source machine learning platform, has a vulnerability in its `FusedBatchNorm` kernels that allows heap OOB access (out-of-bounds memory reading, where a program tries to read data outside the memory space it's allowed to use). This bug affects multiple older versions of TensorFlow that are still supported.
TensorFlow, an open source platform for machine learning, has a vulnerability in its sparse matrix multiplication code where it can crash or behave unpredictably (undefined behavior) if matrix dimensions are 0 or less, because the code tries to write to an empty memory location (nullptr, a reference to nothing). When dimensions are invalid, the code should create an empty output but not write to it, otherwise it causes a heap OOB access (writing data outside the boundaries of allocated memory).
TensorFlow, an open source machine learning platform, has a vulnerability where the code that builds a control flow graph (the structure representing how data moves through a model) crashes when it assumes paired nodes exist but they don't. When the first node in a pair is missing, the code tries to use a null pointer (a reference to nothing), causing the program to crash.
TensorFlow, an open source machine learning platform, has a vulnerability where the shape inference code for `DeserializeSparse` (a function that converts serialized data back into sparse tensors, which are data structures that efficiently store mostly-empty matrices) can crash due to a null pointer dereference (trying to access memory that hasn't been allocated). This happens because the code incorrectly assumes the input tensor has a specific structure.
TensorFlow, an open source machine learning platform, has a bug in its shape inference code for the `tf.ragged.cross` function where it tries to use a null pointer (a reference to nothing), causing undefined behavior. The vulnerability is caused by accessing an uninitialized pointer (a memory location that hasn't been set up yet).
Fix: Update to TensorFlow 2.7.0 or later. If you need to stay on earlier versions, update to TensorFlow 2.6.1, 2.5.2, or 2.4.4, which will include the fix through a cherrypick (backport of the specific fix to older versions).
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The patch will also be backported to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, which are still in the supported range. Users can reference the specific commit at https://github.com/tensorflow/tensorflow/commit/25d622ffc432acc736b14ca3904177579e733cc6.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The patch will also be backported (adapted and released) for TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.7.0, and the patch was also backported to TensorFlow 2.6.1, which was the only other affected version.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. Users of affected versions should upgrade to TensorFlow 2.7.0 or the patched versions: TensorFlow 2.6.1, TensorFlow 2.5.2, or TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The fix will also be backported (applied to older supported versions) to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.7.0. For users on earlier versions still receiving support, the patch will also be applied to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4. Users should update to one of these patched versions.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.7.0 and has also been backported to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. Security patches will also be backported to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: Update to TensorFlow 2.7.0. For users on earlier versions still in the supported range, apply patches for TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4. The fix is available in the commit: https://github.com/tensorflow/tensorflow/commit/f2c3931113eaafe9ef558faaddd48e00a6606235
NVD/CVE DatabaseFix: The fixes will be included in TensorFlow 2.7.0. Patches will also be backported to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The fix will also be backported (applied to older versions still being supported) in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.7.0 and has been backported to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4. Users should update to one of these patched versions.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The vulnerability is also addressed in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4 through a cherry-picked commit (a targeted code fix applied to older versions). Users should update to one of these patched versions.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The commit will also be cherry-picked (applied retroactively) to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The patch will also be backported (applied to older versions) in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The fix will also be backported (applied to older versions still receiving updates) in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. The patch will also be applied to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.7.0. Patches will also be backported (applied to earlier versions) to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.
NVD/CVE Database