CVE-2020-26270

Summary

In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.

Affected Software

VendorProductVersion RangeStatus
tensorflowtensorflow< 1.15.5affected
tensorflowtensorflow>= 2.0.0, < 2.0.4affected
tensorflowtensorflow>= 2.1.0, < 2.1.3affected
tensorflowtensorflow>= 2.2.0, < 2.2.2affected
tensorflowtensorflow>= 2.3.0, < 2.3.2affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CVE Program Container

Additional References

References