CVE-2021-41197
Description
TensorFlow is an open source platform for machine learning. In affected versions TensorFlow allows tensor to have a large number of dimensions and each dimension can be as large as desired. However, the total number of elements in a tensor must fit within an int64_t. If an overflow occurs, MultiplyWithoutOverflow would return a negative result. In the majority of TensorFlow codebase this then results in a CHECK-failure. Newer constructs exist which return a Status instead of crashing the binary. This is similar to CVE-2021-29584. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | >= 2.6.0, < 2.6.1 | 2.6.1 |
tensorflowPyPI | >= 2.5.0, < 2.5.2 | 2.5.2 |
tensorflowPyPI | < 2.4.4 | 2.4.4 |
tensorflow-cpuPyPI | >= 2.6.0, < 2.6.1 | 2.6.1 |
tensorflow-cpuPyPI | >= 2.5.0, < 2.5.2 | 2.5.2 |
tensorflow-cpuPyPI | < 2.4.4 | 2.4.4 |
tensorflow-gpuPyPI | >= 2.6.0, < 2.6.1 | 2.6.1 |
tensorflow-gpuPyPI | >= 2.5.0, < 2.5.2 | 2.5.2 |
tensorflow-gpuPyPI | < 2.4.4 | 2.4.4 |
Affected products
5- osv-coords4 versions
< 2.4.4+ 3 more
- (no CPE)range: < 2.4.4
- (no CPE)range: >= 2.6.0, < 2.6.1
- (no CPE)range: >= 2.6.0, < 2.6.1
- (no CPE)range: >= 2.6.0, < 2.6.1
- Range: >= 2.6.0, < 2.6.1
Patches
Vulnerability mechanics
References
11- github.com/tensorflow/tensorflow/commit/7c1692bd417eb4f9b33ead749a41166d6080af85nvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/commit/a871989d7b6c18cdebf2fb4f0e5c5b62fbc19edfnvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/commit/d81b1351da3e8c884ff836b64458d94e4a157c15nvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/security/advisories/GHSA-prcg-wp5q-rv7pnvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/issues/46890nvdExploitThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/issues/51908nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-prcg-wp5q-rv7pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41197ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-607.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-805.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-390.yamlghsaWEB
News mentions
0No linked articles in our index yet.