VYPR
Low severityNVD Advisory· Published Dec 10, 2020· Updated Aug 4, 2024

Lack of validation in data format attributes in TensorFlow

CVE-2020-26267

Description

In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tensorflowPyPI
< 1.15.51.15.5
tensorflowPyPI
>= 2.0.0, < 2.0.42.0.4
tensorflowPyPI
>= 2.1.0, < 2.1.32.1.3
tensorflowPyPI
>= 2.2.0, < 2.2.22.2.2
tensorflowPyPI
>= 2.3.0, < 2.3.22.3.2
tensorflow-cpuPyPI
< 1.15.51.15.5
tensorflow-cpuPyPI
>= 2.0.0, < 2.0.42.0.4
tensorflow-cpuPyPI
>= 2.1.0, < 2.1.32.1.3
tensorflow-cpuPyPI
>= 2.2.0, < 2.2.22.2.2
tensorflow-cpuPyPI
>= 2.3.0, < 2.3.22.3.2
tensorflow-gpuPyPI
< 1.15.51.15.5
tensorflow-gpuPyPI
>= 2.0.0, < 2.0.42.0.4
tensorflow-gpuPyPI
>= 2.1.0, < 2.1.32.1.3
tensorflow-gpuPyPI
>= 2.2.0, < 2.2.22.2.2
tensorflow-gpuPyPI
>= 2.3.0, < 2.3.22.3.2

Affected products

17

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.