CVE-2021-41221

Name
CVE-2021-41221
Description
TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for the `Cudnn*` operations in TensorFlow can be tricked into accessing invalid memory, via a heap buffer overflow. This occurs because the ranks of the `input`, `input_h` and `input_c` parameters are not validated, but code assumes they have certain values. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cqv6-3phm-hcwx
MISC https://github.com/tensorflow/tensorflow/commit/af5fcebb37c8b5d71c237f4e59c6477015c78ce6

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:* tensorflow >= 2.4.0 < 2.4.4
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:* tensorflow >= 2.5.0 < 2.5.2
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:* tensorflow >= 2.6.0 < 2.6.1
cpe:2.3:a:google:tensorflow:2.7.0:rc0:*:*:*:*:*:* tensorflow == None == 2.7.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status