All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
TensorFlow (an open-source platform for machine learning) has a bug where passing invalid arguments to a specific function called `tf.raw_ops.SparseCountSparseOutput` causes a segfault (a crash where the program tries to access memory it shouldn't). This happens because the function doesn't properly handle exceptional conditions (unexpected or invalid inputs).
Fix: The fix will be included in TensorFlow 2.5.0. Patches will also be applied to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4, as these versions are also affected and still supported.
NVD/CVE DatabaseTensorFlow (an open source machine learning platform) crashes when you pass a complex argument to the `tf.transpose` function while also using the `conjugate=True` argument. This happens because the software doesn't properly handle this unusual combination of inputs.
TensorFlow is a machine learning platform that had a vulnerability where an attacker could crash the system by sending invalid arguments to the `tf.strings.substr` function, which performs string operations. This vulnerability was caused by improper error handling (not properly catching and managing exceptional conditions that shouldn't happen).
TensorFlow, a machine learning platform, has a vulnerability where TrySimplify (a code optimization component) can crash by dereferencing a null pointer (trying to access memory that doesn't exist) when optimizing nodes with no inputs. This undefined behavior can cause the program to fail unexpectedly.
A vulnerability in TensorFlow (an open source machine learning platform) allows attackers to cause a stack overflow (a crash caused by a program using too much memory on the call stack) by sending specially crafted input to the `ParseAttrValue` function through recursion (when a function calls itself repeatedly).
A bug in TensorFlow's `tf.io.decode_raw` function causes incorrect results and crashes when using certain combinations of parameters. The problem stems from incorrect pointer arithmetic (moving through memory incorrectly), which causes the function to skip parts of input data and write outside the allocated memory bounds (OOB write, where data is written to memory locations it shouldn't access), potentially leading to crashes or more serious attacks.
TensorFlow (an open-source machine learning platform) has a vulnerability in its `tf.raw_ops.CTCLoss` function where incomplete validation (insufficient checking of input data) allows an attacker to trigger an OOB read from heap (accessing memory outside the intended boundaries). This is a memory safety issue that could crash the program or expose sensitive data.
TensorFlow has a vulnerability (CVE-2021-29612) where a specific operation called `tf.raw_ops.BandedTriangularSolve` can be tricked into accessing memory it shouldn't (a heap buffer overflow, where an attacker reads or writes beyond the intended memory boundaries). The bug happens because the code doesn't properly check if input data is empty, and it doesn't verify that earlier validation checks actually succeeded before continuing to process the data.
TensorFlow, an open-source machine learning platform, has a vulnerability in the `SparseReshape` function where it doesn't properly check that input arguments are valid before using them. This incomplete validation allows an attacker to cause a denial of service (a crash that makes the system unavailable) by triggering a CHECK-failure, which is a built-in safety check that stops execution when something goes wrong.
TensorFlow has a vulnerability in the `QuantizeAndDequantizeV2` function where incorrect validation of the `axis` parameter allows invalid values to pass through, potentially causing heap underflow (a memory safety error where data is accessed below allocated memory boundaries). This flaw could let attackers read or write to other data stored in the heap (the area of memory used for dynamic storage).
TensorFlow's `SparseAdd` function (a tool for adding sparse tensors, which are data structures with mostly empty values) has incomplete validation that allows attackers to cause undefined behavior like accessing null memory or writing data outside allocated memory bounds. The vulnerability exists because the code doesn't properly check if tensors are empty or if their dimensions match, letting attackers send invalid sparse tensors that exploit unprotected assumptions.
TensorFlow, an open source machine learning platform, has a vulnerability in a function called `tf.raw_ops.RaggedTensorToTensor` that fails to properly validate (check) all input arguments. An attacker can cause undefined behavior (unpredictable crashes or memory access errors) by providing empty inputs, because the code only checks that one input isn't empty while skipping checks on the others.
TensorFlow, an open-source machine learning platform, has a bug in its `SparseAdd` function where it doesn't fully check the validity of sparse tensors (data structures that efficiently store mostly empty matrices). This allows attackers to send malformed tensors that can cause the program to crash or write data to unintended memory locations.
TensorFlow, an open source machine learning platform, has a vulnerability in TFLite (TensorFlow Lite, a lightweight version for mobile devices) where a maliciously designed model can trigger an OOB read (out-of-bounds read, accessing memory outside the intended data area) on the heap when the `Split_V` operation receives an invalid axis value that falls outside the expected range.
TensorFlow, a machine learning platform, has a vulnerability in its TFLite component (a lightweight version for mobile devices) where an attacker can create a malicious model that causes an integer overflow (when a calculation produces a number too large to fit in its storage type, wrapping around to become negative). This overflow leads to invalid memory allocation, potentially causing the program to crash or behave unpredictably.
TensorFlow, an open source machine learning platform, has a vulnerability in its TFLite (TensorFlow Lite, a lightweight version for mobile devices) hashtable lookup implementation that can cause a division by zero error (a crash caused by dividing by zero). An attacker could create a malicious model that triggers this crash by setting a dimension to 0.
TensorFlow, a machine learning platform, has a vulnerability where a specially crafted TFLite model (a lightweight version of TensorFlow for mobile devices) can cause an OOB write on heap (writing data beyond allocated memory boundaries) in the ArgMin/ArgMax operations. The bug occurs when the axis_value parameter falls outside valid bounds, causing the code to write past the end of the output array.
TensorFlow, an open-source machine learning platform, has a vulnerability in its `DepthwiseConv` operator (a component that performs a specific type of mathematical operation on data) where an attacker could craft a malicious model that causes a division by zero error (trying to divide a number by zero, which crashes the program). This allows an attacker to potentially crash or disrupt systems using this component.
TensorFlow's TFLite (a lightweight version for mobile and embedded devices) has a bug where it can experience an integer overflow (when a number gets too large to fit in its assigned storage space) in the concatenation operation (combining multiple data arrays into one). An attacker could create a malicious machine learning model that exploits this by making dimension values too large, and this problem can occur when converting regular TensorFlow models to the TFLite format.
TensorFlow's `OneHot` operator (a component that converts index values into one-hot encoded vectors) in TFLite, the lightweight version for mobile devices, has a division by zero vulnerability. An attacker could create a malicious model that causes the operator to divide by zero, potentially crashing the system or causing unexpected behavior.
Fix: Update to TensorFlow 2.5.0 or later. If you're using an older supported version, updates are also available for TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The vulnerability will also be patched in earlier versions: TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be backported (applied to older versions) to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4, which are still supported.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be applied to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0 and will be backported (adapted for older versions) to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.5.0. Users of earlier versions should update to: TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, or TensorFlow 2.1.4, as these versions contain cherrypicked patches (code changes applied to older versions) that address the vulnerability.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be backported (applied to earlier versions) in TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The developers will also backport (apply the fix to older versions) this commit to TensorFlow 2.4.2 and TensorFlow 2.3.3, which are the only affected versions.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0 and will be backported (cherry-picked) to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0 and will be cherry-picked (backported) to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4 will also receive the fix through cherrypicked commits, as these versions are affected and still supported.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. Patches will also be available in TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. Additionally, the fix will be backported (applied to earlier versions still receiving support) to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be backported (adapted for older versions) to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The fix will also be backported to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The developers will also apply this fix as a cherry-pick (a targeted patch) to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4, which are still in the supported version range.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The vulnerability will also be patched in earlier versions: TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be backported (applied to older versions still being supported) to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The vulnerability will also be patched in TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4, which are still in the supported range.
NVD/CVE Database