CVE-2021-41202
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
TensorFlow is an open source platform for machine learning. In affected versions while calculating the size of the output within the tf.range kernel, there is a conditional statement of type int64 = condition ? int64 : double. Due to C++ implicit conversion rules, both branches of the condition will be cast to double and the result would be truncated before the assignment. This result in overflows. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| tensorflow | tensorflow | >= 2.6.0, < 2.6.1 | affected |
| tensorflow | tensorflow | >= 2.5.0, < 2.5.2 | affected |
| tensorflow | tensorflow | < 2.4.4 | affected |
Weaknesses
- CWE-681: CWE-681: Incorrect Conversion between Numeric Types
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xrqm-fpgr-6hhx
- https://github.com/tensorflow/tensorflow/issues/46889
- https://github.com/tensorflow/tensorflow/issues/46912
- https://github.com/tensorflow/tensorflow/commit/1b0e0ec27e7895b9985076eab32445026ae5ca94
- https://github.com/tensorflow/tensorflow/commit/6d94002a09711d297dbba90390d5482b76113899
References
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xrqm-fpgr-6hhx
- https://github.com/tensorflow/tensorflow/issues/46889
- https://github.com/tensorflow/tensorflow/issues/46912
- https://github.com/tensorflow/tensorflow/commit/1b0e0ec27e7895b9985076eab32445026ae5ca94
- https://github.com/tensorflow/tensorflow/commit/6d94002a09711d297dbba90390d5482b76113899
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.