CVE-2021-41199 : Exploit Details and Defense Strategies

TensorFlow is an open-source platform for machine learning. In affected versions, calling

tf.image.resize

with a large input argument can cause a crash due to an overflow issue.

Understanding CVE-2021-41199

Affected Version Ranges: >= 2.6.0, < 2.6.1, >= 2.5.0, < 2.5.2, < 2.4.4

What is CVE-2021-41199?

The vulnerability in TensorFlow arises when

tf.image.resize

is invoked with a substantial input causing an overflow, leading to a

CHECK

-failure and crashing the TensorFlow process.

The Impact of CVE-2021-41199

CVSS Base Score: 5.5 (Medium)
Attack Complexity: Low
Privileges Required: Low
Attack Vector: Local
Availability Impact: High
Scope: Unchanged
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE ID: CWE-190 (Integer Overflow or Wraparound)

Technical Details of CVE-2021-41199

Vulnerability Description

The issue occurs when the number of elements in the output tensor exceeds the

int64_t

type, triggering an overflow detected by a

CHECK

statement, resulting in process termination.

Affected Systems and Versions

TensorFlow versions >= 2.6.0 and < 2.6.1
TensorFlow versions >= 2.5.0 and < 2.5.2
TensorFlow versions < 2.4.4

Exploitation Mechanism

The vulnerability is exploited by calling

tf.image.resize

with large input arguments, causing the process to terminate due to the overflow issue.

Mitigation and Prevention

Immediate Steps to Take

Upgrade TensorFlow to version 2.7.0 when it becomes available.
Apply patches available for TensorFlow 2.6.1, 2.5.2, and 2.4.4.
Avoid calling

tf.image.resize

with excessively large arguments.

Long-Term Security Practices

Regularly update TensorFlow to the latest supported versions.
Monitor TensorFlow security advisories for patches and updates.

Patching and Updates

The fix for this vulnerability will be included in TensorFlow 2.7.0.