Description
In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xwhf-g6j5-j5gc
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/issues/42129
Patch, Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/pull/42143/commits/3ade2efec2e90c6237de32a19680caaa3ebc2845
Scores
CVSS v3
3.7
EPSS
0.0092
EPSS Percentile
55.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-119
Status
published
Products (4)
google/tensorflow
< 2.4.0
pypi/tensorflow
0 - 2.4.0PyPI
pypi/tensorflow-cpu
0 - 2.4.0PyPI
pypi/tensorflow-gpu
0 - 2.4.0PyPI
Published
Oct 21, 2020
Tracked Since
Feb 18, 2026