Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
409
VMScore

CVE-2021-37681

Published: 12/08/2021 Updated: 18/08/2021
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 409
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Google

Vulnerability Summary

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of SVDF in TFLite is [vulnerable to a null pointer error](github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/svdf.cc#L300-L313). The [`GetVariableInput` function](github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L115-L119) can return a null pointer but `GetTensorData` assumes that the argument is always a valid tensor. Furthermore, because `GetVariableInput` calls [`GetMutableInput`](github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L82-L90) which might return `nullptr`, the `tensor->is_variable` expression can also trigger a null pointer exception. We have patched the issue in GitHub commit 5b048e87e4e55990dae6b547add4dae59f4e1c76. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

google tensorflow

google tensorflow 2.5.0

google tensorflow 2.6.0

Vendor Advisories

Arch Linux Issues:
In TensorFlow before version 260 the implementation of SVDF in TFLite is vulnerable to a null pointer error The GetVariableInput function can return a null pointer but GetTensorData assumes that the argument is always a valid tensor Furthermore, because GetVariableInput calls GetMutableInput which might return nullptr, the tensor->is_variabl ...

References

CWE-476https://github.com/tensorflow/tensorflow/commit/5b048e87e4e55990dae6b547add4dae59f4e1c76https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7xwj-5r4v-429phttps://nvd.nist.govhttps://security.archlinux.org/CVE-2021-37681
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
SSTICVE-2024-35863CVE-2024-35910man-in-the-middleCVE-2024-35912CVE-2024-25742LFICVE-2024-32002CVE-2024-22120
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook