Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
TensorFlow, an open source machine learning platform, has a vulnerability in its fully connected layers (neural network components that connect all inputs to all outputs) in TFLite (a lightweight version for mobile devices) that causes a division by zero error (attempting to divide by zero, which crashes the program). The issue has been patched and will be included in upcoming updates.
Fix: The fix will be included in TensorFlow 2.6.0. It will also be backported (applied to older versions still being supported) to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseTensorFlow (an open-source platform for machine learning) has a vulnerability where an attacker can trigger undefined behavior (unpredictable program crashes or malfunctions) by exploiting the `tf.raw_ops.SparseFillEmptyRows` function, which fails to check whether input arguments are empty tensors (multi-dimensional arrays). This flaw exists in the shape inference code, which is responsible for determining the size and structure of data.
TensorFlow, a machine learning platform, has a vulnerability where attackers can crash the software by exploiting division by zero errors in convolution operators (mathematical operations that process data in machine learning models). This happens because the code that checks input shapes is missing validation steps before performing divisions, allowing someone to trigger a denial of service (making the system unavailable).
TensorFlow, an open source machine learning platform, has a vulnerability in its Map and OrderedMap operations where an attacker can cause undefined behavior (unpredictable or dangerous program actions) by exploiting a missing check for empty data indices. The code checks if indices are in order but doesn't verify they exist, leaving a gap that can lead to null pointer reference binding (attempting to use memory that hasn't been allocated).
TensorFlow, an open source machine learning platform, has a vulnerability where an attacker can cause undefined behavior (unpredictable program crashes or malfunctions) by exploiting a flaw in the `tf.raw_ops.UnicodeEncode` function. The problem occurs because the code reads data from a tensor without first checking if that tensor is empty, which can lead to a null pointer dereference (trying to access memory that doesn't exist).
TensorFlow, an open source machine learning platform, has a vulnerability (CVE-2021-37666) where attackers can cause undefined behavior (unpredictable program crashes or errors) by exploiting incomplete validation in the RaggedTensorToVariant function. The flaw occurs when the function receives empty input values that it doesn't properly check for.
TensorFlow, a machine learning platform, has a use-after-free vulnerability (a bug where freed memory is accessed again) in the `tf.raw_ops.BoostedTreesCreateEnsemble` function that attackers can trigger with specially crafted input. The issue stems from refactoring that changed a resource from a naked pointer (basic memory reference) to a smart pointer (automatic memory management), causing the resource to be freed twice and its members to be accessed during cleanup after it's already been deallocated.
TensorFlow, a machine learning platform, has a vulnerability in its `SaveV2` function where input validation fails to properly stop execution, allowing an attacker to trigger a null pointer dereference (a crash caused by accessing invalid memory). The validation check uses a method that only sets an error status but doesn't actually stop the function, so harmful operations continue anyway.
TensorFlow (an open-source platform for machine learning) has a vulnerability where an attacker can read data from outside the intended memory area by sending specially crafted invalid arguments to a specific function called `BoostedTreesSparseCalculateBestFeatureSplit`. The problem occurs because the code doesn't properly check that input values are within valid ranges.
TensorFlow, an open-source platform for machine learning, has a vulnerability in two functions (BoostedTreesCalculateBestGainsPerFeature and BoostedTreesCalculateBestFeatureSplitV2) where attackers can cause undefined behavior (unpredictable program crashes or errors) by exploiting missing input validation that fails to check for null references (empty pointers). The issue allows attackers to trigger these crashes through specially crafted inputs.
TensorFlow, a machine learning platform, has a vulnerability where attackers can crash the system by passing negative numbers to the `boosted_trees_create_quantile_stream_resource` function. The bug happens because the code doesn't check if the input is negative before using it to allocate memory (reserve, which expects an unsigned integer, or a whole number with no sign). When a negative number gets converted to an unsigned integer, it becomes a huge positive number that causes the program to crash.
TensorFlow, an open-source machine learning platform, has a vulnerability where an attacker can cause undefined behavior (unpredictable or unsafe program execution) by exploiting binary cwise operations (element-wise math operations between two arrays) that don't check if their inputs have the same size. This missing check allows the program to read from invalid memory locations and crash or behave unexpectedly.
TensorFlow, a machine learning platform, has a vulnerability in its MatrixSetDiagV operations where an attacker can cause undefined behavior (unpredictable program crashes or errors) by passing an empty tensor (a data structure with no elements) as input, since the code doesn't properly validate that the input tensor has at least one element before trying to access it.
TensorFlow, an open-source machine learning platform, has a vulnerability (CVE-2021-37657) where attackers can cause undefined behavior (unpredictable crashes or errors) by exploiting incomplete validation in matrix diagonal operations. The vulnerability occurs because the code doesn't check if the input tensor (a multi-dimensional array of data) is empty before trying to access its first element.
TensorFlow, a machine learning platform, has a vulnerability where an attacker can cause undefined behavior (unpredictable program crashes or errors) by exploiting incomplete validation in the `tf.raw_ops.RaggedTensorToSparse` function. The function fails to check that split values are in increasing order, allowing an attacker to bind a reference to a null pointer (a reference to an empty memory location).
TensorFlow, an open source platform for machine learning, has a vulnerability where an attacker can read data outside the bounds of allocated memory (a heap buffer overflow) by sending invalid arguments to a specific function called `tf.raw_ops.ResourceScatterUpdate`. The bug exists because the code doesn't properly validate the relationship between the shapes of two inputs called `indices` and `updates`, checking only that their element counts are divisible rather than verifying the correct dimensional relationship needed for broadcasting (automatically expanding smaller arrays to match larger ones).
TensorFlow (an open source platform for machine learning) has a vulnerability in the `tf.raw_ops.ResourceGather` function that allows attackers to crash the software or read data from memory they shouldn't access by supplying an invalid `batch_dims` parameter (a dimension value that exceeds the tensor's rank, which is the number of dimensions in a data structure). The bug occurs because the code doesn't validate that the user's input is within acceptable bounds before using it.
TensorFlow, a machine learning platform, has a vulnerability in the `tf.raw_ops.FractionalAvgPoolGrad` function where it can access memory outside the bounds of allocated buffers (a buffer overflow, where a program reads from memory it shouldn't access) when given an empty input. The function fails to check whether the input is empty before trying to read from it.
TensorFlow, a machine learning platform, has a vulnerability in two functions that can cause a heap buffer overflow (writing data past the end of allocated memory) and crash the program when processing dataset records. The code incorrectly assumes all records are strings without checking, but users might pass numeric types instead, triggering the error.
TensorFlow (an open-source machine learning platform) has a vulnerability in the `tf.raw_ops.StringNGrams` function where negative input values cause an integer overflow (a bug where a number wraps around to an unexpectedly large value). When a negative value is converted to an unsigned integer (a number that can only be positive) for memory allocation, it becomes a very large number, potentially causing the program to crash or behave unexpectedly.
Fix: The issue has been patched in GitHub commit 578e634b4f1c1c684d4b4294f9e5281b2133b3ed. The fix will be included in TensorFlow 2.6.0 and will also be back-ported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0 and will be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.6.0 and was cherrypicked into TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4. Users of affected versions should update to one of these patched releases.
NVD/CVE DatabaseFix: The issue is patched in GitHub commit 2e0ee46f1a47675152d3d865797a18358881d7a6. The fix will be included in TensorFlow 2.6.0 and will also be backported (applied to earlier versions still receiving updates) in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit be7a4de6adfbd303ce08be4332554dff70362612. The fix will be included in TensorFlow 2.6.0, and will also be back-ported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 5ecec9c6fbdbc6be03295685190a45e7eee726ab. The fix is included in TensorFlow 2.6.0 and was also backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 9728c60e136912a12d99ca56e106b7cce7af5986. The fix is included in TensorFlow 2.6.0 and will also be backported (applied to older versions) in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit e84c975313e8e8e38bb2ea118196369c45c51378. The fix is included in TensorFlow 2.6.0 and will be backported (applied retroactively) to TensorFlow 2.5.1, 2.4.3, and 2.3.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.6.0 and will be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4. Users should update to one of these patched versions.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit 8a84f7a2b5a2b27ecf88d25bad9ac777cd2f7992. The fix will be included in TensorFlow 2.6.0 and will also be backported (added to older versions still being supported) in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 93f428fd1768df147171ed674fee1fc5ab8309ec. The fix will be included in TensorFlow 2.6.0, and will also be backported (applied to earlier versions still receiving support) to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit ff8894044dfae5568ecbf2ed514c1a37dc394f1b. The fix is included in TensorFlow 2.6.0 and will be backported (applied to older versions still receiving support) to TensorFlow 2.5.1, 2.4.3, and 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit f2a673bd34f0d64b8e40a551ac78989d16daad09. The fix is included in TensorFlow 2.6.0, and will also be available in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue has been patched in GitHub commit 1071f554dbd09f7e101324d366eec5f4fe5a3ece. The fix will be included in TensorFlow 2.6.0, and will also be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 01cff3f986259d661103412a20745928c727326f. The fix is included in TensorFlow 2.6.0 and will be cherrypicked to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit bc9c546ce7015c57c2f15c168b3d9201de679a1d. The fix is included in TensorFlow 2.6.0 and was also applied to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit 0f931751fb20f565c4e94aa6df58d54a003cdb30. The fix will be included in TensorFlow 2.6.0, and will also be applied to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue was patched in GitHub commit e0b6e58c328059829c3eb968136f17aa72b6c876. The fix is included in TensorFlow 2.6.0 and was also applied to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE DatabaseFix: The issue is patched in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0 and will also be cherry-picked (applied to older supported versions) in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
NVD/CVE Database