Input validation error in TensorFlow - CVE-2021-29607
Published: May 13, 2021 / Updated: May 4, 2026
Vulnerability identifier: #VU129283
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-29607
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TensorFlow
TensorFlow
Software vendor:
TensorFlow
TensorFlow
Description
The vulnerability allows a remote attacker to cause a denial of service or corrupt memory.
The vulnerability exists due to improper input validation in the SparseSparseMinimum operation when processing invalid sparse tensor inputs. A remote attacker can send crafted tensor triples to cause a denial of service or corrupt memory.
The issue stems from missing checks for empty tensors and for mismatched index dimensions relative to the corresponding shape tensors.
Remediation
Install security update from vendor's website.