Page 39 of 250 results (0.006 seconds)

CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 2

TensorFlow is an open source platform for machine learning. In affected versions the Keras pooling layers can trigger a segfault if the size of the pool is 0 or if a dimension is negative. This is due to the TensorFlow's implementation of pooling operations where the values in the sliding window are not checked to be strictly positive. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/commit/12b1ff82b3f26ff8de17e58703231d5a02ef1b8b https://github.com/tensorflow/tensorflow/issues/51936 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m539-j985-hcr8 • CWE-191: Integer Underflow (Wrap or Wraparound) •

CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 1

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `tf.math.segment_*` operations results in a `CHECK`-fail related abort (and denial of service) if a segment id in `segment_ids` is large. This is similar to CVE-2021-29584 (and similar other reported vulnerabilities in TensorFlow, localized to specific APIs): the implementation (both on CPU and GPU) computes the output shape using `AddDim`. However, if the number of elements in the tensor overflows an `int64_t` value, `AddDim` results in a `CHECK` failure which provokes a `std::abort`. Instead, code should use `AddDimWithStatus`. • https://github.com/tensorflow/tensorflow/commit/e9c81c1e1a9cd8dd31f4e83676cab61b60658429 https://github.com/tensorflow/tensorflow/issues/46888 https://github.com/tensorflow/tensorflow/pull/51733 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cq76-mxrc-vchh • CWE-190: Integer Overflow or Wraparound •

CVSS: 6.6EPSS: 0%CPEs: 6EXPL: 0

TensorFlow is an end-to-end open source platform for machine learning. In affected versions when running shape functions, some functions (such as `MutableHashTableShape`) produce extra output information in the form of a `ShapeAndType` struct. The shapes embedded in this struct are owned by an inference context that is cleaned up almost immediately; if the upstream code attempts to access this shape information, it can trigger a segfault. `ShapeRefiner` is mitigating this for normal output shapes by cloning them (and thus putting the newly created shape under ownership of an inference context that will not die), but we were not doing the same for shapes and types. This commit fixes that by doing similar logic on output shapes and types. • https://github.com/tensorflow/tensorflow/commit/ee119d4a498979525046fba1c3dd3f13a039fbb1 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3hxh-8cp2-g4hg • CWE-416: Use After Free •

CVSS: 9.3EPSS: 0%CPEs: 6EXPL: 0

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/python/keras/saving/model_config.py#L66-L104) uses `yaml.unsafe_load` which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, we have removed it for now. We have patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012. • https://github.com/tensorflow/tensorflow/commit/23d6383eb6c14084a8fc3bdf164043b974818012 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r6jx-9g48-2r5r • CWE-502: Deserialization of Untrusted Data •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

TensorFlow is an end-to-end open source platform for machine learning. In affected versions under certain conditions, Go code can trigger a segfault in string deallocation. For string tensors, `C.TF_TString_Dealloc` is called during garbage collection within a finalizer function. However, tensor structure isn't checked until encoding to avoid a performance penalty. The current method for dealloc assumes that encoding succeeded, but segfaults when a string tensor is garbage collected whose encoding failed (e.g., due to mismatched dimensions). • https://github.com/tensorflow/tensorflow/commit/8721ba96e5760c229217b594f6d2ba332beedf22 https://github.com/tensorflow/tensorflow/pull/50508 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cmgw-8vpc-rc59 • CWE-20: Improper Input Validation •