CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37688 – Null pointer dereference in TensorFlow Lite
https://notcve.org/view.php?id=CVE-2021-37688
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/internal/optimized/optimized_ops.h#L268-L285) unconditionally dereferences a pointer. We have patched the issue in GitHub commit 15691e456c7dc9bd6be203b09765b063bf4a380c. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/15691e456c7dc9bd6be203b09765b063bf4a380c https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vcjj-9vg7-vf68 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37686 – Infinite loop in TensorFlow Lite
https://notcve.org/view.php?id=CVE-2021-37686
TensorFlow is an end-to-end open source platform for machine learning. In affected versions the strided slice implementation in TFLite has a logic bug which can allow an attacker to trigger an infinite loop. This arises from newly introduced support for [ellipsis in axis definition](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/strided_slice.cc#L103-L122). An attacker can craft a model such that `ellipsis_end_idx` is smaller than `i` (e.g., always negative). In this case, the inner loop does not increase `i` and the `continue` statement causes execution to skip over the preincrement at the end of the outer loop. • https://github.com/tensorflow/tensorflow/commit/dfa22b348b70bb89d6d6ec0ff53973bacb4f4695 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mhhc-q96p-mfm9 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37680 – Division by zero in TFLite in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37680
TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of fully connected layers in TFLite is [vulnerable to a division by zero error](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/fully_connected.cc#L226). We have patched the issue in GitHub commit 718721986aa137691ee23f03638867151f74935f. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/commit/718721986aa137691ee23f03638867151f74935f https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cfpj-3q4c-jhvr • CWE-369: Divide By Zero •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37675 – Division by 0 in most convolution operators in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37675
TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww • CWE-369: Divide By Zero •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37676 – Reference binding to nullptr in shape inference in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37676
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.SparseFillEmptyRows`. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/ops/sparse_ops.cc#L608-L634) does not validate that the input arguments are not empty tensors. We have patched the issue in GitHub commit 578e634b4f1c1c684d4b4294f9e5281b2133b3ed. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/578e634b4f1c1c684d4b4294f9e5281b2133b3ed https://github.com/tensorflow/tensorflow/security/advisories/GHSA-v768-w7m9-2vmm • CWE-824: Access of Uninitialized Pointer •