SB2021110532 - Multiple vulnerabilities in TensorFlow
Published: November 5, 2021 Updated: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 33 vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2021-41197)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer overflow in depthwise ops when processing crafted tensor inputs. A remote attacker can supply crafted filter_sizes values to trigger an assertion failure and cause a denial of service.
2) Out-of-bounds write (CVE-ID: CVE-2021-41208)
The vulnerability allows a local user to read and write outside the bounds of heap-allocated data and cause a denial of service.
The vulnerability exists due to out-of-bounds read and out-of-bounds write in boosted trees code in tensorflow/core/kernels/boosted_trees/stats_ops.cc when processing crafted input to boosted trees APIs. A local user can supply crafted input to trigger out-of-bounds memory access and denial of service.
The denial of service can occur through null pointer dereferences or CHECK failures.
3) Code Injection (CVE-ID: CVE-2021-41228)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to code injection in the saved_model_cli tool when processing user-supplied input expressions. A local user can supply a crafted expression string to execute arbitrary code.
User interaction is required because the CLI tool is run manually.
4) Use of Uninitialized Variable (CVE-ID: CVE-2021-41225)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use of uninitialized value in Grappler optimizer auto_parallel.cc when optimizing a saved model. A remote attacker can supply a crafted saved model without a Dequeue node in the train_nodes vector to cause a denial of service.
5) Heap-based buffer overflow (CVE-ID: CVE-2021-41223)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in FusedBatchNorm kernels when processing crafted input tensors in the FusedBatchNormGrad operation. A remote attacker can supply inconsistent tensor shapes to trigger an out-of-bounds heap access and cause a denial of service.
6) Out-of-bounds read (CVE-ID: CVE-2021-41227)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the ImmutableConst operation when processing a memory region as a TensorFlow string. A local user can supply a crafted memory_region_name and string type parameters to disclose sensitive information.
The issue occurs because the tstring class has a special case for memory mapped strings while the operation itself does not support this datatype.
7) Heap-based buffer overflow (CVE-ID: CVE-2021-41226)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based out-of-bounds write in the SparseBinCount implementation when processing crafted sparse bincount input. A remote attacker can supply malformed values that are not properly validated against the sparse output shape to cause a denial of service.
8) Heap-based buffer overflow (CVE-ID: CVE-2021-41224)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in the SparseFillEmptyRows operation when processing input where the size of indices does not match the size of values. A remote attacker can send crafted input to cause a denial of service.
9) Input validation error (CVE-ID: CVE-2021-41222)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the SplitV operation when processing a size_splits argument containing more than one value with at least one negative value. A local user can supply crafted arguments to cause a denial of service.
10) Heap-based buffer overflow (CVE-ID: CVE-2021-41221)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in the shape inference code for Cudnn* operations when processing crafted input tensors. A remote attacker can supply malformed values for the input, input_h, and input_c parameters to cause a denial of service.
The issue occurs because the ranks of these parameters are not validated before the code assumes specific dimensions.
11) NULL pointer dereference (CVE-ID: CVE-2021-41217)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the control flow graph builder when processing a model containing an Exit node that is not preceded by a paired Enter node. A remote attacker can supply a crafted TensorFlow model to cause a denial of service.
12) Division by zero (CVE-ID: CVE-2021-41218)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to division by zero in the tf.raw_ops.AllToAll shape inference code when processing a crafted split_count argument. A remote attacker can supply input with split_count set to 0 to cause a denial of service.
13) Use-after-free (CVE-ID: CVE-2021-41220)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the async implementation of CollectiveReduceV2 when processing crafted input to the operation. A remote attacker can invoke the operation with crafted arguments to cause a denial of service.
The issue can also manifest as memory leaks or std::bad_alloc exceptions due to undefined behavior in error handling.
14) Heap-based buffer overflow (CVE-ID: CVE-2021-41219)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in the sparse matrix multiplication kernel when processing sparse matrix multiplication with dimensions of a or b equal to 0 or less. A remote attacker can supply crafted input tensors to cause a denial of service.
The issue is triggered by the SparseMatMul raw operation.
15) Heap-based buffer overflow (CVE-ID: CVE-2021-41216)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in the Transpose shape inference function when processing a perm argument containing negative elements. A remote attacker can supply crafted input to trigger a heap buffer overflow and cause a denial of service.
16) Improper locking (CVE-ID: CVE-2021-41213)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use of a non-reentrant lock in the tf.function API when loading a model containing mutually recursive functions and calling a recursive tf.function. A remote attacker can cause a user to load a crafted model to cause a denial of service.
This issue is triggered when two tf.function-decorated Python functions are mutually recursive.
17) NULL pointer dereference (CVE-ID: CVE-2021-41215)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the DeserializeSparse shape inference code when processing a crafted serialized_sparse input with scalar rank. A remote attacker can supply crafted input to trigger a crash and cause a denial of service.
18) NULL pointer dereference (CVE-ID: CVE-2021-41214)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to binding a reference to nullptr in the shape inference code for tf.ragged.cross when processing crafted input to the operation. A remote attacker can supply input that mixes ragged and non-ragged values to trigger a crash and cause a denial of service.
19) Out-of-bounds read (CVE-ID: CVE-2021-41212)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the shape inference code for tf.ragged.cross when processing crafted input to tf.raw_ops.RaggedCross. A remote attacker can send crafted input to trigger a heap out-of-bounds read to disclose sensitive information.
20) Out-of-bounds read (CVE-ID: CVE-2021-41211)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the QuantizeV2 shape inference code when processing a QuantizeV2 operation with a negative axis value less than -1. A remote attacker can supply a crafted axis value to cause a denial of service.
21) Out-of-bounds read (CVE-ID: CVE-2021-41205)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the shape inference functions for tf.raw_ops.QuantizeAndDequantizeV* operations when parsing input with a negative axis value other than -1. A local user can supply crafted input to trigger a heap out-of-bounds read and disclose sensitive information.
The issue is triggered when the axis argument is a negative value different from the special optional value -1.
22) Input validation error (CVE-ID: CVE-2021-41207)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in ParallelConcat when parsing input. A remote attacker can supply a crafted shape value to cause a denial of service.
23) Division by zero (CVE-ID: CVE-2021-41209)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to division by zero in convolution operators in tensorflow/core/kernels/conv_ops.cc when processing empty filter tensor arguments. A remote attacker can pass an empty filter tensor argument to cause a denial of service.
24) Out-of-bounds read (CVE-ID: CVE-2021-41210)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the shape inference functions for tf.raw_ops.SparseCountSparseOutput when parsing crafted input tensors. A remote attacker can supply a specially crafted indices input to disclose sensitive information.
The issue occurs because the function fails to check that the indices input has rank 2.
25) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2021-41204)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of resource tensors in Grappler constant folding when optimizing graphs. A remote attacker can trigger deep copying of a constant resource tensor to cause a denial of service.
26) Use of Uninitialized Variable (CVE-ID: CVE-2021-41201)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uninitialized variable access in EinsumHelper::ParseEquation when parsing a crafted equation. A remote attacker can supply a specially crafted equation to cause a denial of service.
27) Input validation error (CVE-ID: CVE-2021-41203)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the checkpoint loading infrastructure when parsing modified checkpoint files. A local user can supply a specially crafted checkpoint file to cause a denial of service.
Exploitation requires the ability to change saved checkpoints from outside of TensorFlow.
28) Integer overflow (CVE-ID: CVE-2021-41202)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to integer overflow in the tf.range kernel when calculating the size of the output for large start or limit values. A local user can supply crafted input values to cause a denial of service.
29) Integer overflow (CVE-ID: CVE-2021-41199)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to integer overflow in tf.image.resize when processing a large size argument. A local user can supply a large size value to cause a denial of service.
The process aborts due to a CHECK failure when the output tensor size exceeds the int64_t range.
30) Integer overflow (CVE-ID: CVE-2021-41198)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow in tf.tile when processing a large input argument. A remote attacker can supply a large tiling argument to cause a denial of service.
The issue results in a CHECK failure that aborts the process.
31) Input validation error (CVE-ID: CVE-2021-41200)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in tf.summary.create_file_writer when processing non-scalar arguments. A local user can pass a non-scalar argument to trigger a crash and cause a denial of service.
32) Input validation error (CVE-ID: CVE-2021-41196)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in max_pool3d when processing a pool size argument with a zero or negative dimension. A local user can supply a crafted pool_size value to cause a denial of service.
33) Integer overflow (CVE-ID: CVE-2021-41195)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to integer overflow in tf.math.segment_* operations when processing segment_ids values. A local user can supply a large segment id to trigger a CHECK-fail related abort and cause a denial of service.
The issue affects both CPU and GPU implementations.
Remediation
Install update from vendor's website.
References
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mw6j-hh29-h379
- https://github.com/tensorflow/tensorflow/commit/3796cc4fcd93ae55812a457abc96dcd55fbb854b
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h6gw-r52c-724r
- https://github.com/tensorflow/tensorflow/blob/e0b6e58c328059829c3eb968136f17aa72b6c876/tensorflow/core/kernels/boosted_trees/stats_ops.cc
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v
- https://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7r94-xv9v-63jw
- https://github.com/tensorflow/tensorflow/commit/68867bf01239d9e1048f98cbad185bf4761bedd3
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-f54p-f6jp-4rhr
- https://github.com/tensorflow/tensorflow/commit/aab9998916c2ffbd8f0592059fad352622f89cda
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-j8c8-67vp-6mx7
- https://github.com/tensorflow/tensorflow/commit/3712a2d3455e6ccb924daa5724a3652a86f6b585
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-374m-jm66-3vj8
- https://github.com/tensorflow/tensorflow/commit/f410212e373eb2aec4c9e60bf3702eba99a38aba
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rg3m-hqc5-344v
- https://github.com/tensorflow/tensorflow/commit/67bfd9feeecfb3c61d80f0e46d89c170fbee682b
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cpf4-wx82-gxp6
- https://github.com/tensorflow/tensorflow/commit/25d622ffc432acc736b14ca3904177579e733cc6
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cqv6-3phm-hcwx
- https://github.com/tensorflow/tensorflow/commit/af5fcebb37c8b5d71c237f4e59c6477015c78ce6
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5crj-c72x-m7gq
- https://github.com/tensorflow/tensorflow/commit/05cbebd3c6bb8f517a158b0155debb8df79017ff
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9crf-c6qr-r273
- https://github.com/tensorflow/tensorflow/commit/a8ad3e5e79c75f36edb81e0ba3f3c0c5442aeddc
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gpfh-jvf9-7wg5
- https://github.com/tensorflow/tensorflow/commit/ca38dab9d3ee66c5de06f11af9a4b1200da5ef75
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4f99-p9c2-3j8x
- https://github.com/tensorflow/tensorflow/commit/e6cf28c72ba2eb949ca950d834dd6d66bb01cfae
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3ff2-r28g-w7h9
- https://github.com/tensorflow/tensorflow/commit/c79ba87153ee343401dbe9d1954d7f79e521eb14
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-h67m-xg8f-fxcf
- https://github.com/tensorflow/tensorflow/commit/afac8158d43691661ad083f6dd9e56f327c1dcb7
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-x3v8-c8qx-3j3r
- https://github.com/tensorflow/tensorflow/commit/d3738dd70f1c9ceb547258cbb82d853da8771850
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vwhq-49r4-gj9v
- https://github.com/tensorflow/tensorflow/commit/fa6b7782fbb14aa08d767bc799c531f5e1fb3bb8
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fr77-rrx3-cp7g
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cvgx-3v3q-m36c
- https://github.com/tensorflow/tensorflow/commit/a0d64445116c43cf46a5666bd4eee28e7a82f244
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-49rx-x2rw-pc6f
- https://github.com/tensorflow/tensorflow/commit/7cf73a2274732c9d82af51c2bc2cf90d13cd7e6d
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7v94-64hj-m82h
- https://github.com/tensorflow/tensorflow/commit/f2c3931113eaafe9ef558faaddd48e00a6606235
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6hpv-v2rx-c5g6
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m342-ff57-4jcc
- https://github.com/tensorflow/tensorflow/commit/701cfaca222a82afbeeb17496bd718baa65a67d2
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-786j-5qwq-r36x
- https://github.com/tensorflow/tensorflow/commit/7731e8dfbe4a56773be5dc94d631611211156659
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-j86v-p27c-73fm
- https://github.com/tensorflow/tensorflow/commit/f09caa532b6e1ac8d2aa61b7832c78c5b79300c6
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7pxj-m4jf-r6h2
- https://github.com/tensorflow/tensorflow/commit/b619c6f865715ca3b15ef1842b5b95edbaa710ad
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xrqm-fpgr-6hhx
- https://github.com/tensorflow/tensorflow/commit/6d94002a09711d297dbba90390d5482b76113899
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5hx2-qx8j-qjqm
- https://github.com/tensorflow/tensorflow/commit/e5272d4204ff5b46136a1ef1204fc00597e21837
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2p25-55c9-h58q
- https://github.com/tensorflow/tensorflow/commit/9294094df6fea79271778eb7e7ae1bad8b5ef98f
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gh8h-7j2j-qv4f
- https://github.com/tensorflow/tensorflow/commit/874bda09e6702cd50bac90b453b50bcc65b2769e
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m539-j985-hcr8
- https://github.com/tensorflow/tensorflow/commit/12b1ff82b3f26ff8de17e58703231d5a02ef1b8b
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cq76-mxrc-vchh
- https://github.com/tensorflow/tensorflow/commit/e9c81c1e1a9cd8dd31f4e83676cab61b60658429