Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
TensorFlow (an open-source machine learning framework) has a vulnerability where an attacker can create a malicious TFLite model (a lightweight version of TensorFlow for mobile devices) that causes an integer overflow (when a number calculation exceeds the maximum value a computer can store) in embedding lookup operations. This overflow can sometimes lead to heap OOB read/write (accessing memory outside the intended boundaries), potentially allowing attackers to read or corrupt data.
Fix: Users are advised to upgrade to a patched version. Patches are available at: https://github.com/tensorflow/tensorflow/commit/1de49725a5fc4e48f1a3b902ec3599ee99283043, https://github.com/tensorflow/tensorflow/commit/a4e401da71458d253b05e41f28637b65baf64be4, and https://github.com/tensorflow/tensorflow/commit/f19be71717c497723ba0cea0379e84f061a75e01
NVD/CVE DatabaseAn attacker can create a malicious TFLite model (a lightweight version of TensorFlow used on mobile devices) that causes an integer overflow (where a number gets too large to fit in its storage space, wrapping around to a negative or small value) in TensorFlow's `TfLiteIntArrayCreate` function. The vulnerability happens because the code returns an `int` instead of a larger `size_t` datatype, allowing attackers to manipulate model inputs so the calculated size exceeds what an `int` can hold.
TensorFlow, an open-source machine learning framework, has a vulnerability in its TFLite (TensorFlow Lite, a version optimized for mobile devices) model processor where an attacker can create a specially crafted model that causes a division by zero error (attempting to divide a number by zero, which crashes programs) in the `BiasAndClamp` function because the code doesn't check if `bias_size` is zero before using it.
A vulnerability in TensorFlow (an open-source machine learning framework) allows an attacker to create a malicious TFLite model (TensorFlow Lite, a lightweight version of TensorFlow) that causes a division by zero error in depthwise convolutions (a type of neural network operation). The bug occurs because the code divides by a user-controlled parameter without first checking that it is positive.
TensorFlow, an open-source machine learning framework, has a vulnerability in its `SparseCountSparseOutput` function that allows a heap overflow (a type of memory corruption where a program writes data beyond allocated memory boundaries). The vulnerability affects multiple versions of TensorFlow.
TensorFlow (an open source machine learning framework) has a bug in its `QuantizedMaxPool` function where user-controlled inputs can trigger a null pointer dereference (a crash caused by the program trying to access memory that doesn't exist). The vulnerability allows attackers to potentially cause the program to crash or behave unpredictably.
TensorFlow, an open source machine learning framework, has a vulnerability in its `SparseCountSparseOutput` function where an integer overflow (a number becoming too large for its storage space) can crash the TensorFlow process during memory allocation. This vulnerability affects multiple versions of TensorFlow.
TensorFlow (an open-source machine learning framework) has a vulnerability in its Bincount operations that allows attackers to crash the system (denial of service) by sending specially crafted arguments that trigger internal safety checks to fail. The problem occurs because some invalid input conditions aren't caught early enough during the system's processing stages, leading to crashes when the system tries to allocate memory for output data.
TensorFlow (an open-source machine learning framework) has a vulnerability where certain operations can crash the program through denial of service attacks (making it unavailable by triggering assertion failures, which are safety checks in code that stop execution if something goes wrong). The developers have fixed the issue and plan to release patches across multiple supported versions.
TensorFlow, an open-source machine learning framework, has a vulnerability in its `FractionalMaxPool` function (a pooling operation used in neural networks) that can crash the program through a division by zero error (attempting to divide a number by zero, which is mathematically undefined). The vulnerability affects multiple versions of TensorFlow.
TensorFlow, an open-source machine learning framework, has a vulnerability in its `MapStage` component where a CHECK-fail (a type of crash caused by a failed validation check) occurs if the key tensor (a multi-dimensional array of data) is not a scalar (a single value). This bug can cause the program to crash unexpectedly.
TensorFlow, an open-source machine learning framework, has a vulnerability in its `UnravelIndex` function caused by an integer overflow bug (a situation where a number becomes too large for the system to handle correctly) that leads to division by zero. This flaw affects multiple versions of TensorFlow and could allow attackers to crash or disrupt the software.
TensorFlow (an open-source machine learning framework) has a bug where a cost estimator for convolution operations can be forced to divide by zero because it doesn't check that the stride argument (a parameter controlling step size in operations) is positive. The fix adds validation to ensure the stride is valid before the operation runs.
TensorFlow (an open-source machine learning framework) has a vulnerability in the `AddManySparseToTensorsMap` function where an integer overflow (when a number gets too large for its storage space) causes the program to crash when creating new TensorShape objects. The problem exists because the code doesn't properly validate input tensor shapes before using them.
TensorFlow, an open-source machine learning framework, has a vulnerability in its `Sparse*Cwise*` operations (specialized math functions for sparse tensors, a type of data structure with mostly empty values) that can be exploited through integer overflows (when calculations produce numbers too large for the system to handle). An attacker could cause the system to run out of memory or crash by providing specially crafted input dimensions.
TensorFlow, an open-source machine learning framework, has a bug in the `SparseTensorSliceDataset` component where it can crash by dereferencing a null pointer (accessing memory that doesn't exist) when given certain inputs. The code doesn't properly check that its three input arguments meet required conditions before using them.
A bug in TensorFlow's `StringNGrams` function (a tool that breaks text into small overlapping pieces) allows attackers to crash the system by causing it to run out of memory through an integer overflow (when a number gets too large and wraps around to an incorrect value). The problem stems from missing validation on the `pad_width` parameter, which can result in a negative `ngram_width` value that causes excessive memory allocation.
TensorFlow (an open source machine learning framework) has a vulnerability in its `ThreadPoolHandle` component that allows attackers to cause a denial of service attack (making a service unavailable by overwhelming it) by allocating excessive memory. The problem exists because the code only checks that the `num_threads` argument is not negative, but does not limit how large the value can be.
TensorFlow, an open-source machine learning framework, has a bug in its shape inference (the process of figuring out data dimensions) for the `ConcatV2` operation that can be exploited to crash a program through a segfault (a memory access error). The vulnerability occurs because a type confusion (mixing up different data types) allows a negative value to bypass a safety check, potentially letting attackers cause a denial of service attack (making the system unavailable).
TensorFlow, an open-source machine learning framework, has a vulnerability in its `FractionalAvgPoolGrad` function that fails to validate input data properly, allowing an attacker to read memory from outside the intended bounds of the heap (out-of-bounds read, where a program accesses data it shouldn't). This is a memory safety issue that could let attackers access sensitive information.
Fix: The fix will be included in TensorFlow 2.8.0. It will also be backported (applied to older versions still receiving updates) to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The patch will also be applied to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. It will also be cherry-picked (applied as a patch) to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. Patches will also be cherry-picked (applied) to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, which are still in the supported range.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The patch will also be backported to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3. Users should update to one of these versions or later.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3 will also receive this fix through a cherry-pick (applying the same fix to older supported versions).
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The fix will also be backported (applied to older versions) in TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. Patches will also be cherry-picked (applied retroactively) to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3 will also receive this fix through a cherrypick commit, as these versions are still supported.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The vulnerability will also be patched in TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, which are still in the supported range.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3 will also receive this fix through a cherrypick (applying a specific code change to older versions).
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The fix will also be back-ported to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, which are still in the supported range.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The fix will also be applied to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3 through a cherrypick (applying specific code changes to older versions).
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The fix will also be backported (applied to older versions) in TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The fix will also be applied to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, which are still in the supported range.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3 will also receive this fix through cherrypicked commits (backports of the fix to older versions still being supported).
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0 and will also be backported to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3 (which are still supported versions).
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. The fix will also be applied to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3 through backports (applying the same fix to older supported versions).
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.8.0. Security patches will also be backported to TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, which are still in the supported range.
NVD/CVE Database