SB2021081248 - Multiple vulnerabilities in TensorFlow
Published: August 12, 2021 Updated: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 25 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2021-37690)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in shape inference functions when processing shapes and types output information. A local user can trigger access to stale shape information to cause a denial of service.
2) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2021-37692)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of failed string tensor encoding in Go tensor finalization in C.TF_TString_Dealloc when garbage collecting a string tensor whose encoding failed due to mismatched dimensions. A local user can create a string tensor with mismatched dimensions to cause a denial of service.
3) Division by zero (CVE-ID: CVE-2021-37691)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to division by zero in the LSH implementation in TFLite when parsing a crafted TFLite model. A remote attacker can supply a specially crafted model to cause a denial of service.
4) NULL pointer dereference (CVE-ID: CVE-2021-37689)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to null pointer dereference in the TFLite MLIR optimization for the L2NormalizeReduceAxis operator when processing a crafted TFLite model. A remote attacker can supply a specially crafted model to cause a denial of service.
5) NULL pointer dereference (CVE-ID: CVE-2021-37688)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in TFLite optimized_ops.h when parsing a crafted TFLite model. A remote attacker can supply a specially crafted model to cause a denial of service.
6) Out-of-bounds read (CVE-ID: CVE-2021-37687)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the TFLite Gather and GatherNd implementations when parsing a crafted model containing negative indices. A local user can supply a crafted model with negative values in indices to disclose sensitive information.
7) Out-of-bounds read (CVE-ID: CVE-2021-37685)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the TFLite expand_dims kernel implementation in expand_dims.cc when parsing a model with a large negative axis value. A remote attacker can supply crafted input to trigger the out-of-bounds read and disclose sensitive information.
8) Division by zero (CVE-ID: CVE-2021-37684)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to division by zero in TFLite pooling operations when parsing input. A remote attacker can supply crafted input to cause a denial of service.
9) Division by zero (CVE-ID: CVE-2021-37683)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to division by zero in TFLite division operations when processing a divisor tensor. A remote attacker can supply a divisor tensor containing zero elements to cause a denial of service.
10) Use of Uninitialized Variable (CVE-ID: CVE-2021-37682)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use of uninitialized values in TFLite quantization handling when parsing models with quantized operations. A remote attacker can supply a specially crafted model to cause a denial of service.
11) NULL pointer dereference (CVE-ID: CVE-2021-37681)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the SVDF implementation in TFLite when parsing a crafted model. A remote attacker can supply a specially crafted model to cause a denial of service.
12) Division by zero (CVE-ID: CVE-2021-37680)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to division by zero in the fully connected layers implementation in TFLite when parsing a crafted model. A remote attacker can supply a model with a zero value in filter dimensions to cause a denial of service.
13) Out-of-bounds read (CVE-ID: CVE-2021-37679)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the conversion from a Variant tensor to a RaggedTensor when processing nested tf.map_fn calls with RaggedTensor input and no function signature. A remote attacker can supply crafted RaggedTensor input to disclose sensitive information.
The issue can occur because the implementation does not check that all inner shapes match.
14) Deserialization of Untrusted Data (CVE-ID: CVE-2021-37678)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to unsafe deserialization in the Keras model YAML deserialization functionality when parsing a crafted YAML model definition. A remote attacker can supply a specially crafted YAML payload to execute arbitrary code.
15) Input validation error (CVE-ID: CVE-2021-37677)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in shape inference for tf.raw_ops.Dequantize when processing invalid arguments. A remote attacker can supply crafted input values, including an invalid axis value, to cause a denial of service.
The issue can trigger a segfault.
16) Input validation error (CVE-ID: CVE-2021-37675)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in shape inference implementation for convolution operators when processing crafted tensor shapes. A remote attacker can supply crafted input and filter tensors to cause a denial of service.
17) Input validation error (CVE-ID: CVE-2021-37676)
The vulnerability allows a remote attacker to cause undefined behavior.
The vulnerability exists due to improper input validation in tf.raw_ops.SparseFillEmptyRows shape inference when processing empty tensor inputs. A remote attacker can supply crafted empty tensors to cause undefined behavior.
18) Input validation error (CVE-ID: CVE-2021-37674)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in tf.raw_ops.MaxPoolGrad when processing crafted orig_input and orig_output tensors. A local user can supply crafted tensor values to cause a denial of service.
The issue can be triggered via a segmentation fault.
19) Input validation error (CVE-ID: CVE-2021-37673)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in tf.raw_ops.MapStage when processing a crafted key input tensor. A remote attacker can supply an empty key tensor to trigger a CHECK failure and cause a denial of service.
20) Out-of-bounds read (CVE-ID: CVE-2021-37672)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in tf.raw_ops.SdcaOptimizerV2 when processing specially crafted illegal arguments. A remote attacker can send specially crafted illegal arguments to disclose sensitive information.
The issue occurs because the implementation does not check that the length of example_labels matches the number of examples.
21) Input validation error (CVE-ID: CVE-2021-37671)
The vulnerability allows a remote attacker to cause undefined behavior.
The vulnerability exists due to improper input validation in tf.raw_ops.Map* and tf.raw_ops.OrderedMap* operations when processing an empty indices input. A remote attacker can supply crafted input to cause undefined behavior.
22) Out-of-bounds read (CVE-ID: CVE-2021-37670)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in tf.raw_ops.UpperBound and tf.raw_ops.LowerBound when processing specially crafted illegal arguments. A remote attacker can send specially crafted illegal arguments to disclose sensitive information.
The issue occurs because the rank of the sorted_input tensor is not validated before the first two dimensions are accessed.
23) Incorrect Conversion between Numeric Types (CVE-ID: CVE-2021-37669)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer conversion to unsigned in tf.raw_ops.NonMaxSuppressionV5 and CombinedNonMaxSuppression when processing a negative max output size value. A remote attacker can supply a specially crafted argument to cause a denial of service.
The issue can be triggered in applications serving models that use these NMS operations.
24) Input validation error (CVE-ID: CVE-2021-37668)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in tf.raw_ops.UnravelIndex when processing a crafted dims tensor. A remote attacker can supply input containing a zero value in dims to cause a denial of service.
25) Input validation error (CVE-ID: CVE-2021-37667)
The vulnerability allows a remote attacker to cause undefined behavior.
The vulnerability exists due to improper input validation in tf.raw_ops.UnicodeEncode when processing crafted input tensors. A remote attacker can supply empty input_splits data to cause undefined behavior.
Remediation
Install update from vendor's website.
References
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3hxh-8cp2-g4hg
- https://github.com/tensorflow/tensorflow/commit/ee119d4a498979525046fba1c3dd3f13a039fbb1
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cmgw-8vpc-rc59
- https://github.com/tensorflow/tensorflow/commit/8721ba96e5760c229217b594f6d2ba332beedf22
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-27qf-jwm8-g7f3
- https://github.com/tensorflow/tensorflow/commit/0575b640091680cfb70f4dd93e70658de43b94f9
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wf5p-c75w-w3wh
- https://github.com/tensorflow/tensorflow/commit/d6b57f461b39fd1aa8c1b870f1b974aac3554955
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vcjj-9vg7-vf68
- https://github.com/tensorflow/tensorflow/commit/15691e456c7dc9bd6be203b09765b063bf4a380c
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jwf9-w5xm-f437
- https://github.com/tensorflow/tensorflow/commit/bb6a0383ed553c286f87ca88c207f6774d5c4a8f
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c545-c4f9-rf6v
- https://github.com/tensorflow/tensorflow/commit/d94ffe08a65400f898241c0374e9edc6fa8ed257
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q7f7-544h-67h9
- https://github.com/tensorflow/tensorflow/commit/dfa22b348b70bb89d6d6ec0ff53973bacb4f4695
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rhrq-64mq-hf9h
- https://github.com/tensorflow/tensorflow/commit/1e206baedf8bef0334cca3eb92bab134ef525a28
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4c4g-crqm-xrxw
- https://github.com/tensorflow/tensorflow/commit/537bc7c723439b9194a358f64d871dd326c18887
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7xwj-5r4v-429p
- https://github.com/tensorflow/tensorflow/commit/5b048e87e4e55990dae6b547add4dae59f4e1c76
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cfpj-3q4c-jhvr
- https://github.com/tensorflow/tensorflow/commit/718721986aa137691ee23f03638867151f74935f
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g8wg-cjwc-xhhp
- https://github.com/tensorflow/tensorflow/commit/4e2565483d0ffcadc719bd44893fb7f609bb5f12
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r6jx-9g48-2r5r
- https://github.com/tensorflow/tensorflow/commit/23d6383eb6c14084a8fc3bdf164043b974818012
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qfpc-5pjr-mh26
- https://github.com/tensorflow/tensorflow/commit/da857cfa0fde8f79ad0afdbc94e88b5d4bbec764
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww
- https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v768-w7m9-2vmm
- https://github.com/tensorflow/tensorflow/commit/578e634b4f1c1c684d4b4294f9e5281b2133b3ed
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7ghq-fvr3-pj2x
- https://github.com/tensorflow/tensorflow/commit/136b51f10903e044308cf77117c0ed9871350475
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-278g-rq84-9hmg
- https://github.com/tensorflow/tensorflow/commit/d7de67733925de196ec8863a33445b73f9562d1d
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5hj3-vjjf-f5m7
- https://github.com/tensorflow/tensorflow/commit/a4e138660270e7599793fa438cd7b2fc2ce215a6
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qr82-2c78-4m8h
- https://github.com/tensorflow/tensorflow/commit/532f5c5a547126c634fefd43bbad1dc6417678ac
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9697-98pf-4rw7
- https://github.com/tensorflow/tensorflow/commit/42459e4273c2e47a3232cc16c4f4fff3b3a35c38
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vmjw-c2vp-p33c
- https://github.com/tensorflow/tensorflow/commit/3a7362750d5c372420aa8f0caf7bf5b5c3d0f52d
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2wmv-37vq-52g5
- https://github.com/tensorflow/tensorflow/commit/a776040a5e7ebf76eeb7eb923bf1ae417dd4d233
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-w74j-v8xh-3w5h
- https://github.com/tensorflow/tensorflow/commit/2e0ee46f1a47675152d3d865797a18358881d7a6