CVE-2021-29576: Improper Restriction of Operations within the Bounds of a Memory Buffer
(updated )
TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.raw_ops.MaxPool3DGradGrad
is vulnerable to a heap buffer overflow. The implementation does not check that the initialization of Pool3dParameters
completes successfully. Since the constructor uses OP_REQUIRES
to validate conditions, the first assertion that fails interrupts the initialization of params
, making it contain invalid data. In turn, this might cause a heap buffer overflow, depending on default initialized values.
References
Detect and mitigate CVE-2021-29576 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →