SB2022051757 - Multiple vulnerabilities in TensorFlow
Published: May 17, 2022 Updated: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2021-41197)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer overflow in depthwise ops when processing crafted tensor inputs. A remote attacker can supply crafted filter_sizes values to trigger an assertion failure and cause a denial of service.
2) Input validation error (CVE-ID: CVE-2021-41206)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in tf.sparse.split when processing a non-scalar axis argument. A remote user can supply a tuple or list for the axis parameter to cause a denial of service.
The crash may manifest as a segfault or a heap out-of-bounds read.
Remediation
Install update from vendor's website.
References
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mw6j-hh29-h379
- https://github.com/tensorflow/tensorflow/commit/3796cc4fcd93ae55812a457abc96dcd55fbb854b
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-43q8-3fv7-pr5x
- https://github.com/tensorflow/tensorflow/commit/61bf91e768173b001d56923600b40d9a95a04ad5