Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

CVE-2021-41198 : Security Advisory and Response

Learn about CVE-2021-41198 affecting TensorFlow versions 2.4.4, 2.5.0-2.5.2, and 2.6.0-2.6.1. Discover the impact, mitigation steps, and how to prevent the overflow vulnerability.

TensorFlow is an open-source platform for machine learning. In affected versions, calling 

tf.tile
with a large input argument results in a process crash due to an overflow. This issue affects versions >= 2.6.0, < 2.6.1; >= 2.5.0, < 2.5.2; and < 2.4.4. The impact includes a high availability impact with a CVSS base score of 5.5.

Understanding CVE-2021-41198

In this CVE, the 

tf.tile
function in TensorFlow triggers a process crash when tiled with a large tensor due to an overflow condition.

What is CVE-2021-41198?

        TensorFlow experiences a crash if 
        tf.tile
        is used with a large input, causing an overflow due to an element count exceeding 
        int64_t
        range.

The Impact of CVE-2021-41198

        CVSS Score: 5.5 (Medium Severity)
        Attack Vector: Local
        Privileges Required: Low
        User Interaction: None
        Availability Impact: High
        Integrity Impact: None
        Confidentiality Impact: None
        Scope: Unchanged

Technical Details of CVE-2021-41198

This section covers the technical aspects of the vulnerability.

Vulnerability Description

        The issue arises in TensorFlow when 
        tf.tile
        is used with a large input, leading to a process crash from an overflow detected by a 
        CHECK
        statement.

Affected Systems and Versions

        Versions >= 2.6.0, < 2.6.1
        Versions >= 2.5.0, < 2.5.2
        Version < 2.4.4

Exploitation Mechanism

        Calling 
        tf.tile
        excessively with a significant input tensor triggers the overflow, detected by a 
        CHECK
        statement, resulting in a process crash.

Mitigation and Prevention

Suggestions to mitigate the impact and prevent future occurrences.

Immediate Steps to Take

        Update TensorFlow to version 2.7.0 when available.
        Apply patches/cherry-picks on TensorFlow 2.6.1, 2.5.2, and 2.4.4.

Long-Term Security Practices

        Regularly check for TensorFlow updates and apply them promptly.
        Ensure input data within TensorFlow functions stays within safe ranges.

Patching and Updates

        The fix will be included in TensorFlow 2.7.0.
        Apply patches/cherry-picks on TensorFlow 2.6.1, 2.5.2, and 2.4.4 to address the vulnerability.

Popular CVEs

CVE Id

Published Date

Is your System Free of Underlying Vulnerabilities?
Find Out Now