Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
A vulnerability in TensorFlow (an open source machine learning platform) allows attackers to cause a stack overflow (a crash caused by a program using too much memory on the call stack) by sending specially crafted input to the `ParseAttrValue` function through recursion (when a function calls itself repeatedly).
Fix: The fix will be included in TensorFlow 2.5.0. It will also be applied to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseA bug in TensorFlow's `tf.io.decode_raw` function causes incorrect results and crashes when using certain combinations of parameters. The problem stems from incorrect pointer arithmetic (moving through memory incorrectly), which causes the function to skip parts of input data and write outside the allocated memory bounds (OOB write, where data is written to memory locations it shouldn't access), potentially leading to crashes or more serious attacks.
TensorFlow (an open-source machine learning platform) has a vulnerability in its `tf.raw_ops.CTCLoss` function where incomplete validation (insufficient checking of input data) allows an attacker to trigger an OOB read from heap (accessing memory outside the intended boundaries). This is a memory safety issue that could crash the program or expose sensitive data.
TensorFlow has a vulnerability (CVE-2021-29612) where a specific operation called `tf.raw_ops.BandedTriangularSolve` can be tricked into accessing memory it shouldn't (a heap buffer overflow, where an attacker reads or writes beyond the intended memory boundaries). The bug happens because the code doesn't properly check if input data is empty, and it doesn't verify that earlier validation checks actually succeeded before continuing to process the data.
TensorFlow, an open-source machine learning platform, has a vulnerability in the `SparseReshape` function where it doesn't properly check that input arguments are valid before using them. This incomplete validation allows an attacker to cause a denial of service (a crash that makes the system unavailable) by triggering a CHECK-failure, which is a built-in safety check that stops execution when something goes wrong.
TensorFlow has a vulnerability in the `QuantizeAndDequantizeV2` function where incorrect validation of the `axis` parameter allows invalid values to pass through, potentially causing heap underflow (a memory safety error where data is accessed below allocated memory boundaries). This flaw could let attackers read or write to other data stored in the heap (the area of memory used for dynamic storage).
TensorFlow's `SparseAdd` function (a tool for adding sparse tensors, which are data structures with mostly empty values) has incomplete validation that allows attackers to cause undefined behavior like accessing null memory or writing data outside allocated memory bounds. The vulnerability exists because the code doesn't properly check if tensors are empty or if their dimensions match, letting attackers send invalid sparse tensors that exploit unprotected assumptions.
TensorFlow, an open source machine learning platform, has a vulnerability in a function called `tf.raw_ops.RaggedTensorToTensor` that fails to properly validate (check) all input arguments. An attacker can cause undefined behavior (unpredictable crashes or memory access errors) by providing empty inputs, because the code only checks that one input isn't empty while skipping checks on the others.
TensorFlow, an open-source machine learning platform, has a bug in its `SparseAdd` function where it doesn't fully check the validity of sparse tensors (data structures that efficiently store mostly empty matrices). This allows attackers to send malformed tensors that can cause the program to crash or write data to unintended memory locations.
TensorFlow, an open source machine learning platform, has a vulnerability in TFLite (TensorFlow Lite, a lightweight version for mobile devices) where a maliciously designed model can trigger an OOB read (out-of-bounds read, accessing memory outside the intended data area) on the heap when the `Split_V` operation receives an invalid axis value that falls outside the expected range.
TensorFlow, a machine learning platform, has a vulnerability in its TFLite component (a lightweight version for mobile devices) where an attacker can create a malicious model that causes an integer overflow (when a calculation produces a number too large to fit in its storage type, wrapping around to become negative). This overflow leads to invalid memory allocation, potentially causing the program to crash or behave unpredictably.
TensorFlow, an open source machine learning platform, has a vulnerability in its TFLite (TensorFlow Lite, a lightweight version for mobile devices) hashtable lookup implementation that can cause a division by zero error (a crash caused by dividing by zero). An attacker could create a malicious model that triggers this crash by setting a dimension to 0.
TensorFlow, a machine learning platform, has a vulnerability where a specially crafted TFLite model (a lightweight version of TensorFlow for mobile devices) can cause an OOB write on heap (writing data beyond allocated memory boundaries) in the ArgMin/ArgMax operations. The bug occurs when the axis_value parameter falls outside valid bounds, causing the code to write past the end of the output array.
TensorFlow, an open-source machine learning platform, has a vulnerability in its `DepthwiseConv` operator (a component that performs a specific type of mathematical operation on data) where an attacker could craft a malicious model that causes a division by zero error (trying to divide a number by zero, which crashes the program). This allows an attacker to potentially crash or disrupt systems using this component.
TensorFlow's TFLite (a lightweight version for mobile and embedded devices) has a bug where it can experience an integer overflow (when a number gets too large to fit in its assigned storage space) in the concatenation operation (combining multiple data arrays into one). An attacker could create a malicious machine learning model that exploits this by making dimension values too large, and this problem can occur when converting regular TensorFlow models to the TFLite format.
TensorFlow's `OneHot` operator (a component that converts index values into one-hot encoded vectors) in TFLite, the lightweight version for mobile devices, has a division by zero vulnerability. An attacker could create a malicious model that causes the operator to divide by zero, potentially crashing the system or causing unexpected behavior.
TensorFlow, an open source platform for machine learning, has a vulnerability in its `Split` operator for TFLite (TensorFlow Lite, a lightweight version for mobile devices) that causes a division by zero error (a crash that happens when code tries to divide a number by zero). An attacker can create a malicious model that sets `num_splits` to 0, triggering this crash.
TensorFlow, an open-source machine learning platform, has a vulnerability in its SVDF TFLite operator (a component that performs specific neural network calculations on mobile devices) where an attacker can craft a malicious model that causes a division by zero error (attempting to divide a number by zero, which crashes the program). This happens when a parameter called `params->rank` is set to 0.
TensorFlow, an open-source machine learning platform, has a vulnerability in its `SpaceToBatchNd` operator (a function that rearranges data in neural network models) that can be triggered by a division by zero error (when code tries to divide a number by zero, crashing the system). An attacker can create a malicious model that causes this crash by setting one dimension of the block input to 0.
TensorFlow, an open source machine learning platform, has a vulnerability in its `EmbeddingLookup` operator that can cause a division by zero error (a crash caused by trying to divide by zero). An attacker could craft a malicious model with a specific input dimension set to 0 to trigger this crash.
Fix: The fix will be included in TensorFlow 2.5.0 and will be backported (adapted for older versions) to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4.
NVD/CVE DatabaseFix: The fix is included in TensorFlow 2.5.0. Users of earlier versions should update to: TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, or TensorFlow 2.1.4, as these versions contain cherrypicked patches (code changes applied to older versions) that address the vulnerability.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be backported (applied to earlier versions) in TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The developers will also backport (apply the fix to older versions) this commit to TensorFlow 2.4.2 and TensorFlow 2.3.3, which are the only affected versions.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0 and will be backported (cherry-picked) to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0 and will be cherry-picked (backported) to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4 will also receive the fix through cherrypicked commits, as these versions are affected and still supported.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. Patches will also be available in TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. Additionally, the fix will be backported (applied to earlier versions still receiving support) to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be backported (adapted for older versions) to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The fix will also be backported to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The developers will also apply this fix as a cherry-pick (a targeted patch) to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4, which are still in the supported version range.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The vulnerability will also be patched in earlier versions: TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be backported (applied to older versions still being supported) to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The vulnerability will also be patched in TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4, which are still in the supported range.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The patch will also be applied to TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The fix will also be backported (applied to earlier versions) in TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. It will also be backported (applied to earlier versions) to TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4.
NVD/CVE DatabaseFix: The fix will be included in TensorFlow 2.5.0. The vulnerability will also be patched in TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3, and TensorFlow 2.1.4.
NVD/CVE Database