Low severityNVD Advisory· Published May 14, 2021· Updated Aug 3, 2024

Heap buffer overflow and undefined behavior in `FusedBatchNorm`

CVE-2021-29583

Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.raw_ops.FusedBatchNorm is vulnerable to a heap buffer overflow. If the tensors are empty, the same implementation can trigger undefined behavior by dereferencing null pointers. The implementation(https://github.com/tensorflow/tensorflow/blob/57d86e0db5d1365f19adcce848dfc1bf89fdd4c7/tensorflow/core/kernels/fused_batch_norm_op.cc) fails to validate that scale, offset, mean and variance (the last two only when required) all have the same number of elements as the number of channels of x. This results in heap out of bounds reads when the buffers backing these tensors are indexed past their boundary. If the tensors are empty, the validation mentioned in the above paragraph would also trigger and prevent the undefined behavior. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tensorflowPyPI	< 2.1.4	2.1.4
tensorflowPyPI	>= 2.2.0, < 2.2.3	2.2.3
tensorflowPyPI	>= 2.3.0, < 2.3.3	2.3.3
tensorflowPyPI	>= 2.4.0, < 2.4.2	2.4.2
tensorflow-cpuPyPI	< 2.1.4	2.1.4
tensorflow-cpuPyPI	>= 2.2.0, < 2.2.3	2.2.3
tensorflow-cpuPyPI	>= 2.3.0, < 2.3.3	2.3.3
tensorflow-cpuPyPI	>= 2.4.0, < 2.4.2	2.4.2
tensorflow-gpuPyPI	< 2.1.4	2.1.4
tensorflow-gpuPyPI	>= 2.2.0, < 2.2.3	2.2.3
tensorflow-gpuPyPI	>= 2.3.0, < 2.3.3	2.3.3
tensorflow-gpuPyPI	>= 2.4.0, < 2.4.2	2.4.2

Affected products

Tensorflow/Tensorflowv5
Range: < 2.1.4

Patches

6972f9dfe325

Add missing valuidation to FusedBatchNorm.

https://github.com/tensorflow/tensorflowMihai MaruseacMay 7, 2021via ghsa

commit

1 file changed · +27 −1

tensorflow/core/kernels/fused_batch_norm_op.cc+27 −1 modified

@@ -1282,6 +1282,32 @@ class FusedBatchNormOpBase : public OpKernel {
                   errors::InvalidArgument("Error during tensor copy."));
     }
 
+    const auto num_channels = GetTensorDim(x, tensor_format_, 'C');
+    OP_REQUIRES(
+        context, scale.NumElements() == num_channels,
+        errors::InvalidArgument("scale must have the same number of elements "
+                                "as the channels of x, got ",
+                                scale.NumElements(), " and ", num_channels));
+    OP_REQUIRES(
+        context, offset.NumElements() == num_channels,
+        errors::InvalidArgument("offset must have the same number of elements "
+                                "as the channels of x, got ",
+                                offset.NumElements(), " and ", num_channels));
+    if (estimated_mean.NumElements() != 0) {
+      OP_REQUIRES(context, estimated_mean.NumElements() == num_channels,
+                  errors::InvalidArgument(
+                      "mean must be empty or have the same number of "
+                      "elements as the channels of x, got ",
+                      estimated_mean.NumElements(), " and ", num_channels));
+    }
+    if (estimated_variance.NumElements() != 0) {
+      OP_REQUIRES(context, estimated_variance.NumElements() == num_channels,
+                  errors::InvalidArgument(
+                      "variance must be empty or have the same number of "
+                      "elements as the channels of x, got ",
+                      estimated_variance.NumElements(), " and ", num_channels));
+    }
+
     if (has_side_input_) {
       OP_REQUIRES(context, side_input->shape() == x.shape(),
                   errors::InvalidArgument(
@@ -1294,7 +1320,7 @@ class FusedBatchNormOpBase : public OpKernel {
       // NOTE(ezhulenev): This requirement is coming from implementation
       // details of cudnnBatchNormalizationForwardTrainingEx.
       OP_REQUIRES(
-          context, !is_training_ || x.dim_size(3) % 4 == 0,
+          context, !is_training_ || num_channels % 4 == 0,
           errors::InvalidArgument("FusedBatchNorm with activation requires "
                                   "channel dimension to be a multiple of 4."));
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9xh4-23q4-v6wrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-29583ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-511.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-709.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-220.yamlghsaWEB
github.com/tensorflow/tensorflow/commit/6972f9dfe325636b3db4e0bc517ee22a159365c0ghsax_refsource_MISCWEB
github.com/tensorflow/tensorflow/security/advisories/GHSA-9xh4-23q4-v6wrghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000