CVE-2021-41206
Description
TensorFlow is an open source platform for machine learning. In affected versions several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or CHECK-fail related crashes but in some scenarios writes and reads from heap populated arrays are also possible. We have discovered these issues internally via tooling while working on improving/testing GPU op determinism. As such, we don't have reproducers and there will be multiple fixes for these issues. These fixes will be included in TensorFlow 2.7.0. We will also cherrypick these commits on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tensorflowPyPI | >= 2.6.0, < 2.6.1 | 2.6.1 |
tensorflowPyPI | >= 2.5.0, < 2.5.2 | 2.5.2 |
tensorflowPyPI | < 2.4.4 | 2.4.4 |
tensorflow-cpuPyPI | >= 2.6.0, < 2.6.1 | 2.6.1 |
tensorflow-cpuPyPI | >= 2.5.0, < 2.5.2 | 2.5.2 |
tensorflow-cpuPyPI | < 2.4.4 | 2.4.4 |
tensorflow-gpuPyPI | >= 2.6.0, < 2.6.1 | 2.6.1 |
tensorflow-gpuPyPI | >= 2.5.0, < 2.5.2 | 2.5.2 |
tensorflow-gpuPyPI | < 2.4.4 | 2.4.4 |
Affected products
5- osv-coords4 versions
>= 2.4.0, < 2.4.4+ 3 more
- (no CPE)range: >= 2.4.0, < 2.4.4
- (no CPE)range: >= 2.6.0, < 2.6.1
- (no CPE)range: >= 2.6.0, < 2.6.1
- (no CPE)range: >= 2.6.0, < 2.6.1
- Range: >= 2.6.0, < 2.6.1
Patches
Vulnerability mechanics
References
12- github.com/tensorflow/tensorflow/commit/4d74d8a00b07441cba090a02e0dd9ed385145bf4nvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/commit/4dddb2fd0b01cdd196101afbba6518658a2c9e07nvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/commit/579261dcd446385831fe4f7457d802a59685121dnvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/commit/68422b215e618df5ad375bcdc6d2052e9fd3080anvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/commit/da4aad5946be30e5f049920fa076e1f7ef021261nvdPatchThird Party AdvisoryWEB
- github.com/tensorflow/tensorflow/commit/e7f497570abb6b4ae5af4970620cd880e4c0c904nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-pgcq-h79j-2f69ghsaADVISORY
- github.com/tensorflow/tensorflow/security/advisories/GHSA-pgcq-h79j-2f69nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-41206ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-845.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-847.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-843.yamlghsaWEB
News mentions
0No linked articles in our index yet.