Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-41211

Good to know:

icon

Date: November 5, 2021

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `QuantizeV2` can trigger a read outside of bounds of heap allocated array. This occurs whenever `axis` is a negative value less than `-1`. In this case, we are accessing data before the start of a heap buffer. The code allows `axis` to be an optional argument (`s` would contain an `error::NOT_FOUND` error code). Otherwise, it assumes that `axis` is a valid index into the dimensions of the `input` tensor. If `axis` is less than `-1` then this results in a heap OOB read. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, as this version is the only one that is also affected.

Language: Python

Severity Score

Related Resources (4)

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cvgx-3v3q-m36c
https://nvd.nist.gov/vuln/detail/CVE-2021-41211
https://github.com/tensorflow/tensorflow/commit/a0d64445116c43cf46a5666bd4eee28e7a82f244
https://www.mend.io/vulnerability-database/CVE-2021-41211

Severity Score

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Top Fix

icon

Upgrade Version

Upgrade to version tensorflow -2.6.1;tensorflow-cpu - 2.6.1;tensorflow-gpu - 2.6.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): LOCAL
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us