All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
TensorFlow, an open-source machine learning platform, has a vulnerability in its shape inference code for the `tf.raw_ops.Dequantize` function that could crash a system (denial of service via segfault, which is when a program crashes due to accessing invalid memory) if an attacker provides invalid arguments. The bug exists because the code doesn't properly validate the `axis` parameter before using it to access tensor dimensions (the size measurements of data structures in machine learning).
Fix: The issue has been patched in GitHub commit da857cfa0fde8f79ad0afdbc94e88b5d4bbec764. The fix is included in TensorFlow 2.6.0 and will be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseTensorFlow, an open-source machine learning platform, has a vulnerability where attackers can cause a denial of service (making a system unavailable by crashing it) through a segmentation fault (a memory error that crashes a program) in the MaxPoolGrad operation due to missing input validation on certain data structures called tensors. The vulnerability exists because an earlier fix for a related issue was incomplete.
TensorFlow, an open-source machine learning platform, has a vulnerability where attackers can crash the system (denial of service, a type of attack that makes a service unavailable) through a function called `tf.raw_ops.MapStage` because it doesn't validate that the `key` input is a proper non-empty tensor (a multi-dimensional array of numbers). This bug affects multiple versions of TensorFlow.
TensorFlow, an open source machine learning platform, has a vulnerability where an attacker can read data outside the intended memory bounds (a heap overflow, which is when a program accesses memory it shouldn't) by sending specially crafted invalid arguments to a function called tf.raw_ops.SdcaOptimizerV2. The vulnerability exists because the code doesn't verify that the length of input labels matches the number of examples being processed.
TensorFlow, an open source machine learning platform, has a vulnerability where attackers can read data outside the intended memory bounds by sending specially crafted arguments to certain functions like `tf.raw_ops.UpperBound` and `tf.raw_ops.LowerBound`. The vulnerability exists because the code doesn't properly validate the rank (the number of dimensions) of the input data it receives. This could allow attackers to access sensitive information stored in memory.
TensorFlow, an open-source machine learning platform, has a vulnerability in its `tf.raw_ops.NonMaxSuppressionV5` function that allows attackers to crash applications by supplying a negative number, which causes a division by zero error due to improper type conversion (converting a signed integer to an unsigned integer).
TensorFlow, an open source platform for machine learning, has a vulnerability (CVE-2021-37668) where attackers can crash applications by exploiting the `tf.raw_ops.UnravelIndex` function through division by zero (a math error where a program tries to divide by 0). The bug occurs because the code doesn't check if the `dims` tensor (a multi-dimensional array) is empty before performing calculations.
TensorFlow, an open source machine learning platform, has a vulnerability in its MKL implementation where incomplete validation of input tensor dimensions allows attackers to trigger undefined behavior (accessing invalid memory locations or reading data outside allocated memory bounds). Two operations, requantization and MklRequantizePerChannelOp, are affected by this flaw.
TensorFlow, a machine learning platform, has a vulnerability in its `tf.raw_ops.QuantizeV2` function where incomplete validation (checking that inputs meet requirements) allows attackers to cause crashes or read data from invalid memory locations. The vulnerability occurs because the code doesn't properly verify that input parameters have matching sizes and are within valid ranges.
TensorFlow, an open-source machine learning platform, has a vulnerability where an attacker can create a malicious model file that crashes the system by triggering a null pointer dereference (accessing memory at an invalid location without checking if it's safe). The problem occurs in the MLIR optimization (a compiler technique that improves code performance) of the L2NormalizeReduceAxis operator, which tries to access data in a vector without first verifying the vector contains any elements.
TensorFlow, an open source machine learning platform, has a vulnerability where an attacker can create a specially crafted TFLite model (a lightweight version of TensorFlow for mobile devices) that causes a null pointer dereference (attempting to access memory that doesn't exist), crashing the system and preventing it from working. The flaw occurs because the code tries to access a pointer without checking if it's valid first.
TensorFlow 2.6.0 has a bug in its strided slice implementation (a feature that extracts portions of arrays), which attackers can exploit to create models that cause infinite loops (the program gets stuck repeating the same instructions endlessly). The bug appears in TFLite (TensorFlow Lite, a lightweight version for mobile devices) when handling ellipsis (a shorthand notation using '...' in array indexing).
TensorFlow (an open source machine learning platform) has a vulnerability in its SVDF implementation (a neural network component) in TFLite (a lightweight version for mobile devices) where a null pointer error (attempting to use data that doesn't exist in memory) can occur. The bug happens because the `GetVariableInput` function can return a null pointer, but the code doesn't check for this before trying to use it as valid data.
TensorFlow, an open source machine learning platform, has a vulnerability in its fully connected layers (neural network components that connect all inputs to all outputs) in TFLite (a lightweight version for mobile devices) that causes a division by zero error (attempting to divide by zero, which crashes the program). The issue has been patched and will be included in upcoming updates.
TensorFlow (an open-source platform for machine learning) has a vulnerability where an attacker can trigger undefined behavior (unpredictable program crashes or malfunctions) by exploiting the `tf.raw_ops.SparseFillEmptyRows` function, which fails to check whether input arguments are empty tensors (multi-dimensional arrays). This flaw exists in the shape inference code, which is responsible for determining the size and structure of data.
TensorFlow, a machine learning platform, has a vulnerability where attackers can crash the software by exploiting division by zero errors in convolution operators (mathematical operations that process data in machine learning models). This happens because the code that checks input shapes is missing validation steps before performing divisions, allowing someone to trigger a denial of service (making the system unavailable).
TensorFlow, an open source machine learning platform, has a vulnerability in its Map and OrderedMap operations where an attacker can cause undefined behavior (unpredictable or dangerous program actions) by exploiting a missing check for empty data indices. The code checks if indices are in order but doesn't verify they exist, leaving a gap that can lead to null pointer reference binding (attempting to use memory that hasn't been allocated).
TensorFlow, an open source machine learning platform, has a vulnerability where an attacker can cause undefined behavior (unpredictable program crashes or malfunctions) by exploiting a flaw in the `tf.raw_ops.UnicodeEncode` function. The problem occurs because the code reads data from a tensor without first checking if that tensor is empty, which can lead to a null pointer dereference (trying to access memory that doesn't exist).
TensorFlow, an open source machine learning platform, has a vulnerability (CVE-2021-37666) where attackers can cause undefined behavior (unpredictable program crashes or errors) by exploiting incomplete validation in the RaggedTensorToVariant function. The flaw occurs when the function receives empty input values that it doesn't properly check for.
TensorFlow, a machine learning platform, has a use-after-free vulnerability (a bug where freed memory is accessed again) in the `tf.raw_ops.BoostedTreesCreateEnsemble` function that attackers can trigger with specially crafted input. The issue stems from refactoring that changed a resource from a naked pointer (basic memory reference) to a smart pointer (automatic memory management), causing the resource to be freed twice and its members to be accessed during cleanup after it's already been deallocated.
Fix: The issue has been patched in GitHub commit 136b51f10903e044308cf77117c0ed9871350475. The fix will be included in TensorFlow 2.6.0 and will be backported to TensorFlow 2.5.1, 2.4.3, and 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit d7de67733925de196ec8863a33445b73f9562d1d. The fix will be included in TensorFlow 2.6.0, and will also be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit a4e138660270e7599793fa438cd7b2fc2ce215a6. The fix will be included in TensorFlow 2.6.0, and will also be backported (applied to older supported versions) to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 42459e4273c2e47a3232cc16c4f4fff3b3a35c38. The fix will be included in TensorFlow 2.6.0 and will also be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: Update to TensorFlow 2.6.0 or apply the patches in GitHub commits 3a7362750d5c372420aa8f0caf7bf5b5c3d0f52d and b5cdbf12ffcaaffecf98f22a6be5a64bb96e4f58. Patches are also being cherry-picked (backported) into TensorFlow 2.5.1, 2.4.3, and 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit a776040a5e7ebf76eeb7eb923bf1ae417dd4d233. The fix is included in TensorFlow 2.6.0 and will be backported (adapted for earlier versions) to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commits 9e62869465573cb2d9b5053f1fa02a81fce21d69 and 203214568f5bc237603dbab6e1fd389f1572f5c9. The fix is included in TensorFlow 2.6.0 and was backported to versions 2.5.1, 2.4.3, and 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit 6da6620efad397c85493b8f8667b821403516708. The fix will be included in TensorFlow 2.6.0 and has also been backported (adapted for older versions) to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit d6b57f461b39fd1aa8c1b870f1b974aac3554955. The fix is included in TensorFlow 2.6.0 and has been backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 15691e456c7dc9bd6be203b09765b063bf4a380c. The fix will be included in TensorFlow 2.6.0 and will also be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit dfa22b348b70bb89d6d6ec0ff53973bacb4f4695. Update TensorFlow to a version after 2.6.0.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit 5b048e87e4e55990dae6b547add4dae59f4e1c76. The fix will be included in TensorFlow 2.6.0, and will also be backported (adapted for older versions) to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.6.0. It will also be backported (applied to older versions still being supported) to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit 578e634b4f1c1c684d4b4294f9e5281b2133b3ed. The fix will be included in TensorFlow 2.6.0 and will also be back-ported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0 and will be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.6.0 and was cherrypicked into TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4. Users of affected versions should update to one of these patched releases.
NVD/CVE DatabaseFix: The issue is patched in GitHub commit 2e0ee46f1a47675152d3d865797a18358881d7a6. The fix will be included in TensorFlow 2.6.0 and will also be backported (applied to earlier versions still receiving updates) in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit be7a4de6adfbd303ce08be4332554dff70362612. The fix will be included in TensorFlow 2.6.0, and will also be back-ported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 5ecec9c6fbdbc6be03295685190a45e7eee726ab. The fix is included in TensorFlow 2.6.0 and was also backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE Database