Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
TensorFlow (an open source machine learning platform) has a bug where certain inputs with incorrect dimensions crash the SdcaOptimizer component due to a failed validation check. This happens when `dense_features` or `example_state_data` inputs don't have the expected 2D structure (rank 2, meaning a table with rows and columns).
Fix: The fix is included in TensorFlow 2.11. For users on earlier versions, the patch will also be available in TensorFlow 2.10.1, 2.9.3, and 2.8.4. The specific fix is referenced in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa.
NVD/CVE DatabaseTensorFlow, an open source machine learning platform, crashes when a function called `SparseFillEmptyRowsGrad` receives empty inputs instead of data. This happens because the code doesn't properly validate (check) what data it receives before trying to process it.
TensorFlow (an open-source machine learning platform) crashes when a function called `FractionMaxPoolGrad` receives oversized inputs for `row_pooling_sequence` and `col_pooling_sequence` parameters. This is caused by an out-of-bounds read (accessing memory locations outside the intended range), which allows the program to fail unexpectedly.
TensorFlow (an open-source platform for machine learning) has a vulnerability where a function called `ThreadUnsafeUnigramCandidateSampler` crashes if it receives an input value for `filterbank_channel_count` that exceeds the maximum allowed size. This is caused by improper input validation (failure to check that user-provided values are within acceptable limits).
TensorFlow, an open source machine learning platform, has a vulnerability where the `MirrorPadGrad` function crashes with a heap OOB error (out-of-bounds memory access, where the software tries to read memory it shouldn't) when given incorrectly sized input padding values. This bug allows attackers to potentially crash TensorFlow applications.
TensorFlow Lite's `CONV_3D_TRANSPOSE` operator (a component that flips and reorganizes 3D data during machine learning processing) had a bug where it incorrectly calculated memory addresses when adding bias values, potentially allowing an attacker to write data outside the intended memory area (buffer overflow, where data gets written beyond allocated boundaries). The vulnerability only affects users who employ TensorFlow's default kernel resolver in their interpreter.
TensorFlow, an open source machine learning platform, has a vulnerability in the `tf.raw_ops.TensorListResize` function where providing a nonscalar value (a value that isn't a single number) for the `size` input causes a CHECK fail, which can be exploited to trigger a denial of service attack (making the system crash or become unavailable).
TensorFlow, an open source machine learning platform, has a vulnerability where a specific function called `tf.raw_ops.TensorListConcat` crashes with a segmentation fault (a memory error that causes a program to suddenly stop) when given certain invalid input. This crash can be exploited to cause a denial of service attack (making the service unavailable to users).
TensorFlow is a machine learning platform that had a bug where a function called `BCast::ToShape` would crash when given very large numbers (larger than an `int32`, which is a 32-bit integer) even though it was designed to handle even larger numbers called `int64`. This bug could be triggered by using the `tf.experimental.numpy.outer` function with large inputs.
TensorFlow, an open source machine learning platform, had a bug where passing quantized tensors (specially compressed numeric data) to certain functions caused the parsing code to fail silently and return a null pointer (empty reference) instead of the expected data. This could cause crashes or unexpected behavior in machine learning programs using affected TensorFlow functions.
TensorFlow, an open source machine learning platform, has a vulnerability in its `tf.image.generate_bounding_box_proposals` function when running on GPU. The function fails to validate that the `scores` input has the correct rank (dimension structure), which could cause problems. This is classified as improper input validation (CWE-20, where a program doesn't properly check if data meets required specifications).
TensorFlow's poisson loss function (a tool for measuring prediction errors in machine learning) crashes when certain input dimensions multiply together and exceed the limit of a 32-bit integer, causing a size mismatch during broadcast assignment (aligning data for computation). The vulnerability affects multiple versions of TensorFlow.
TensorFlow (an open source platform for machine learning) has a bug in the `tf.raw_ops.ImageProjectiveTransformV2` function where it overflows (uses more memory than available) when given a large output shape. This vulnerability was caused by an incorrect calculation of buffer size (the amount of memory needed to store data).
TensorFlow (an open source machine learning platform) has a vulnerability in the `tf.raw_ops.FusedResizeAndPadConv2D` function where a buffer overflow (a memory error where data exceeds available space) occurs when given very large tensor shapes. The bug stems from an incorrect buffer size calculation.
TensorFlow, an open source machine learning platform, has a bug where creating a numpy array (a data structure for storing numbers) with a specific shape (one dimension with zero elements and others summing to a large number) causes an error. The developers have created a fix and will release it in upcoming versions of TensorFlow.
TensorFlow, an open source machine learning platform, has a vulnerability in the `BaseCandidateSamplerOp` function that causes a heap OOB read (out-of-bounds read, where a program accesses memory it shouldn't) when it receives certain invalid input values. This is a memory safety bug that could allow attackers to read sensitive data from the program's memory.
TensorFlow (an open source platform for machine learning) has a bug where certain operations crash when they receive a different number of inputs than expected, which could cause the program to stop working. This vulnerability is classified as an out-of-bounds read (accessing memory outside the intended range).
Deeplearning4J (a tool for building machine learning models on Java systems) versions up to 1.0.0-M2.1 have a vulnerability where some test code references unclaimed S3 buckets (cloud storage spaces that no longer belong to the original owner), which could potentially be exploited by attackers who claim those buckets. This mainly affects older natural language processing examples in the software.
TensorFlow (an open source platform for machine learning) crashes when converting transposed convolutions (a type of neural network layer operation) with per-channel weight quantization (a compression technique that reduces precision individually for different channels). The crash causes a segfault (a memory access error that terminates the program), crashing the Python process.
TensorFlow, an open source platform for machine learning, has a vulnerability where a function called `Requantize` crashes when given certain types of input data (tensors of nonzero rank), allowing attackers to trigger a denial of service attack (making the system unavailable). The issue has been fixed and will be released in updated versions of the software.
Fix: The fix is included in TensorFlow version 2.11. For users still on older supported versions, patches were also applied to TensorFlow 2.10.1, 2.9.3, and 2.8.4. Users should update to one of these patched versions. The specific patch commit is af4a6a3c8b95022c351edae94560acc61253a1b8 on GitHub.
NVD/CVE DatabaseFix: The patch is available in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. Users should upgrade to TensorFlow 2.11, or apply the patch to supported earlier versions: 2.10.1, 2.9.3, and 2.8.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.11. The patch has also been backported to TensorFlow 2.10.1, 2.9.3, and 2.8.4. Users should update to one of these versions or later.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.11 and has been backported (applied to older versions) in TensorFlow 2.10.1, 2.9.3, and 2.8.4. Users should update to one of these patched versions. The fix was committed in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 72c0bdcb25305b0b36842d746cc61d72658d2941. The fix will be included in TensorFlow 2.11, and will be backported to TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56. The fix is included in TensorFlow 2.11 and will be backported to TensorFlow 2.10.1, 2.9.3, and 2.8.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.11 and will be cherrypicked (backported) to TensorFlow 2.10.1, 2.9.3, and 2.8.4. Users can refer to GitHub commit fc33f3dc4c14051a83eec6535b608abe1d355fde for the patch details.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 8310bf8dd188ff780e7fc53245058215a05bdbe5. The fix will be included in TensorFlow 2.11, and will also be backported (applied to earlier versions) in TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce and will be included in TensorFlow 2.11. The fix will also be backported (applied to earlier versions) in TensorFlow 2.10.1, 2.9.3, and 2.8.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.11 and has been backported to versions 2.10.1, 2.9.3, and 2.8.4. Users should update to one of these patched versions. The patch details are available in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c. The fix will be included in TensorFlow 2.11, and will also be patched in TensorFlow 2.10.1 and 2.9.3. TensorFlow 2.8.x will not receive this patch due to dependency changes in the underlying Eigen library between versions.
NVD/CVE DatabaseFix: The fix is available in TensorFlow 2.11. For users on earlier versions still receiving support, the patch will be included in TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4. Users can also apply the fix directly via GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba.
NVD/CVE DatabaseFix: The fix is available in TensorFlow 2.11. For users on earlier versions, the patch has been applied to TensorFlow 2.10.1, 2.9.3, and 2.8.4. Users should update to one of these versions.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.11. For users on earlier versions still receiving support, the patch will also be available in TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4. The fix is available in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. Users should update to TensorFlow 2.11, or if using earlier versions, update to TensorFlow 2.10.1, 2.9.3, or 2.8.4, which will also receive the fix through a cherry-pick (backporting the patch to older supported versions).
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.11. Users on earlier versions should update to TensorFlow 2.10.1, 2.9.3, or 2.8.4, which have the patch applied through GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629.
NVD/CVE DatabaseFix: Users should upgrade to snapshots (development versions) of Deeplearning4J. A full release with the fix is planned for a later date. As a workaround, download a word2vec Google News vector (a pre-trained language model) from a new source using git lfs (a system for managing large files in code repositories).
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit aa0b852a4588cea4d36b74feb05d93055540b450. The fix will be included in TensorFlow 2.10.0, and will also be backported to TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.10.0. The patch will also be applied to TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2. Users should upgrade to one of these patched versions. There are no known workarounds for this issue.
NVD/CVE Database