aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6613 items

CVE-2021-41224: TensorFlow is an open source platform for machine learning. In affected versions the implementation of `SparseFillEmptyR

highvulnerability
security
Nov 5, 2021
CVE-2021-41224

TensorFlow, an open source machine learning platform, has a vulnerability in the `SparseFillEmptyRows` function that can cause a heap OOB access (out-of-bounds read, where a program tries to read memory it shouldn't access) when the size of `indices` does not match the size of `values`. This is a memory safety bug that could potentially crash the program or expose sensitive data.

Fix: The fix will be included in TensorFlow 2.7.0. The vulnerability is also addressed in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4 through a cherry-picked commit (a targeted code fix applied to older versions). Users should update to one of these patched versions.

NVD/CVE Database

CVE-2021-41223: TensorFlow is an open source platform for machine learning. In affected versions the implementation of `FusedBatchNorm`

highvulnerability
security
Nov 5, 2021
CVE-2021-41223

TensorFlow, an open source machine learning platform, has a vulnerability in its `FusedBatchNorm` kernels that allows heap OOB access (out-of-bounds memory reading, where a program tries to read data outside the memory space it's allowed to use). This bug affects multiple older versions of TensorFlow that are still supported.

CVE-2021-41219: TensorFlow is an open source platform for machine learning. In affected versions the code for sparse matrix multiplicati

highvulnerability
security
Nov 5, 2021
CVE-2021-41219

TensorFlow, an open source platform for machine learning, has a vulnerability in its sparse matrix multiplication code where it can crash or behave unpredictably (undefined behavior) if matrix dimensions are 0 or less, because the code tries to write to an empty memory location (nullptr, a reference to nothing). When dimensions are invalid, the code should create an empty output but not write to it, otherwise it causes a heap OOB access (writing data outside the boundaries of allocated memory).

CVE-2021-41217: TensorFlow is an open source platform for machine learning. In affected versions the process of building the control flo

mediumvulnerability
security
Nov 5, 2021
CVE-2021-41217

TensorFlow, an open source machine learning platform, has a vulnerability where the code that builds a control flow graph (the structure representing how data moves through a model) crashes when it assumes paired nodes exist but they don't. When the first node in a pair is missing, the code tries to use a null pointer (a reference to nothing), causing the program to crash.

CVE-2021-41215: TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `Deseriali

mediumvulnerability
security
Nov 5, 2021
CVE-2021-41215

TensorFlow, an open source machine learning platform, has a vulnerability where the shape inference code for `DeserializeSparse` (a function that converts serialized data back into sparse tensors, which are data structures that efficiently store mostly-empty matrices) can crash due to a null pointer dereference (trying to access memory that hasn't been allocated). This happens because the code incorrectly assumes the input tensor has a specific structure.

CVE-2021-41214: TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `tf.ragged

highvulnerability
security
Nov 5, 2021
CVE-2021-41214

TensorFlow, an open source machine learning platform, has a bug in its shape inference code for the `tf.ragged.cross` function where it tries to use a null pointer (a reference to nothing), causing undefined behavior. The vulnerability is caused by accessing an uninitialized pointer (a memory location that hasn't been set up yet).

CVE-2021-41212: TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `tf.ragged

highvulnerability
security
Nov 5, 2021
CVE-2021-41212

TensorFlow, an open source machine learning platform, has a vulnerability in its shape inference code for the `tf.ragged.cross` function that allows reading data outside the bounds of allocated memory (an out-of-bounds read, which can cause crashes or expose sensitive data). The vulnerability affects multiple versions of TensorFlow and has been patched in newer releases.

CVE-2021-41211: TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `QuantizeV

highvulnerability
security
Nov 5, 2021
CVE-2021-41211

TensorFlow, an open-source machine learning platform, has a vulnerability in its shape inference code for the `QuantizeV2` function that allows reading memory outside of the intended boundaries (heap OOB read, or out-of-bounds read) when the `axis` parameter is given a negative value less than -1. This happens because the code doesn't properly validate that negative axis values stay within acceptable bounds before accessing memory.

CVE-2021-41205: TensorFlow is an open source platform for machine learning. In affected versions the shape inference functions for the `

highvulnerability
security
Nov 5, 2021
CVE-2021-41205

TensorFlow, an open source platform for machine learning, has a vulnerability in its shape inference functions for `QuantizeAndDequantizeV*` operations that can cause the program to read data outside the bounds of allocated memory (an out-of-bounds read, which is a memory safety error). This affects multiple versions of TensorFlow.

CVE-2021-41204: TensorFlow is an open source platform for machine learning. In affected versions during TensorFlow's Grappler optimizer

mediumvulnerability
security
Nov 5, 2021
CVE-2021-41204

TensorFlow, an open source machine learning platform, has a bug in its Grappler optimizer (the part that optimizes computational graphs) where constant folding (simplifying calculations before running them) incorrectly tries to copy resource tensors (special data structures that shouldn't be modified), causing the program to crash. The issue affects multiple versions of TensorFlow.

CVE-2021-41203: TensorFlow is an open source platform for machine learning. In affected versions an attacker can trigger undefined behav

highvulnerability
security
Nov 5, 2021
CVE-2021-41203

TensorFlow, an open-source machine learning platform, has a vulnerability where attackers can cause crashes or undefined behavior (unpredictable program execution) by modifying saved checkpoints (saved states of a trained model) from outside the system, because the checkpoint loading code doesn't properly validate file formats. This affects multiple versions of TensorFlow that are still being supported.

CVE-2021-41210: TensorFlow is an open source platform for machine learning. In affected versions the shape inference functions for `Spar

highvulnerability
security
Nov 5, 2021
CVE-2021-41210

TensorFlow, an open source machine learning platform, had a vulnerability in its shape inference functions for `SparseCountSparseOutput` that could cause an out-of-bounds read (accessing memory outside the intended area of a heap-allocated array, which can crash the program or leak data). This vulnerability affected multiple versions of TensorFlow.

CVE-2021-41201: TensorFlow is an open source platform for machine learning. In affeced versions during execution, `EinsumHelper::ParseEq

highvulnerability
security
Nov 5, 2021
CVE-2021-41201

TensorFlow, an open source machine learning platform, has a bug in the `EinsumHelper::ParseEquation()` function where it fails to properly initialize certain flags (variables that track whether ellipsis notation is used in inputs and outputs). The function only sets these flags to true but never to false, which can cause the program to read uninitialized memory (garbage values) if code calling this function assumes the flags are always set correctly.

CVE-2021-41200: TensorFlow is an open source platform for machine learning. In affected versions if `tf.summary.create_file_writer` is c

mediumvulnerability
security
Nov 5, 2021
CVE-2021-41200

TensorFlow (an open source platform for machine learning) has a bug where calling a specific function called `tf.summary.create_file_writer` with non-scalar arguments (values that aren't single numbers) causes the program to crash due to a failed assertion check. This vulnerability affects several versions of TensorFlow.

CVE-2021-41199: TensorFlow is an open source platform for machine learning. In affected versions if `tf.image.resize` is called with a l

mediumvulnerability
security
Nov 5, 2021
CVE-2021-41199

TensorFlow (an open source machine learning platform) has a bug in its `tf.image.resize` function where using very large input values causes the program to crash due to an integer overflow (when a number becomes too large for its storage type). The overflow is caught by a safety check that stops the entire process.

CVE-2021-41198: TensorFlow is an open source platform for machine learning. In affected versions if `tf.tile` is called with a large inp

mediumvulnerability
security
Nov 5, 2021
CVE-2021-41198

TensorFlow (an open source machine learning platform) crashes when the `tf.tile` function (which repeats tensor data) is called with very large inputs, because the number of output elements exceeds what an `int64_t` integer type can hold, causing an overflow that triggers a safety check and terminates the process.

CVE-2021-41197: TensorFlow is an open source platform for machine learning. In affected versions TensorFlow allows tensor to have a larg

mediumvulnerability
security
Nov 5, 2021
CVE-2021-41197

TensorFlow (an open source machine learning platform) has a vulnerability where tensors (multi-dimensional arrays of numbers) with very large dimensions can cause an integer overflow (when a calculation produces a number too big to store), resulting in a crash or inconsistent behavior. The vulnerability occurs because the code checks for overflow incorrectly in some parts of the codebase.

CVE-2021-41196: TensorFlow is an open source platform for machine learning. In affected versions the Keras pooling layers can trigger a

mediumvulnerability
security
Nov 5, 2021
CVE-2021-41196

TensorFlow (an open source machine learning platform) has a bug in its Keras pooling layers (functions that reduce data size by sampling from groups of values) that can cause a segfault (crash where the program tries to access invalid memory) if the pool size is 0 or if a dimension is negative, because the code doesn't check that these values are positive.

CVE-2021-41195: TensorFlow is an open source platform for machine learning. In affected versions the implementation of `tf.math.segment_

mediumvulnerability
security
Nov 5, 2021
CVE-2021-41195

TensorFlow's `tf.math.segment_*` operations (functions that process data divided into segments) crash with a denial of service error when a segment ID is very large, because the code doesn't properly handle cases where the output size exceeds what an int64_t (a 64-bit integer type) can store. The crash happens in both CPU and GPU implementations when computing output shape.

CVE-2021-42694: An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows

highvulnerability
security
Nov 1, 2021
CVE-2021-42694

CVE-2021-42694 is a vulnerability in the Unicode Specification (up to version 14.0) that allows attackers to create source code identifiers (like function names) using homoglyphs (characters that look identical but are technically different) to sneak malicious code into software. An attacker could use these visually identical but distinct characters in upstream dependencies (external code libraries), and developers reviewing the code might not catch the deception, allowing the malicious code to be used downstream (in other software that depends on it).

Previous305 / 331Next

Fix: The fix will be included in TensorFlow 2.7.0. The commit will also be cherry-picked (applied retroactively) to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. The patch will also be backported (applied to older versions) in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. The fix will also be backported (applied to older versions still receiving updates) in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. The patch will also be applied to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. Patches will also be backported (applied to earlier versions) to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.

NVD/CVE Database

Fix: The fix is included in TensorFlow 2.7.0. For users on earlier versions, patches were also released for TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, which are still in the supported range.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. The fix will also be applied to TensorFlow 2.6.1, as this is the only other version affected.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. The patch will also be applied to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these versions are affected and still supported.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. Updates will also be available in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.

NVD/CVE Database

Fix: The fixes will be included in TensorFlow 2.7.0. Additionally, patches will be cherry-picked (applied) to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, which are also affected and still in the supported range.

NVD/CVE Database

Fix: The fix is included in TensorFlow 2.7.0. The patch was also cherry-picked (applied to earlier versions) for TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, which were still in the supported range at the time.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. The fix will also be backported (cherry-picked) to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. The developers will also apply this fix to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, which are still in the supported range. Users can reference the patch commit at https://github.com/tensorflow/tensorflow/commit/874bda09e6702cd50bac90b453b50bcc65b2769e.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. The fix will also be backported to TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.

NVD/CVE Database

Fix: The fix is included in TensorFlow 2.7.0. The patch will also be backported (applied to older versions) in TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. Users of affected versions should update to TensorFlow 2.7.0, or apply cherrypicked patches available for TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4.

NVD/CVE Database

Fix: Update to TensorFlow 2.7.0, or apply the fix via cherrypicked commits in TensorFlow 2.6.1, TensorFlow 2.5.2, or TensorFlow 2.4.4.

NVD/CVE Database

Fix: The fix will be included in TensorFlow 2.7.0. TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4 will also receive this patch as these versions are still supported.

NVD/CVE Database

Fix: The Unicode Consortium provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and has documented this security vulnerability in Unicode Technical Report #36, Unicode Security Considerations.

NVD/CVE Database