CVE-2021-29611
LOWTensorFlow < 2.1.4, 2.3.0-2.3.3 - Denial of Service via SparseReshape CHECK-Failure
Title source: llmDescription
TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure. The implementation(https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are the only affected versions.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9rpc-5v9q-5r7f
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/commit/1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6
Scores
CVSS v3
3.6
EPSS
0.0020
EPSS Percentile
10.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Details
CWE
CWE-665
CWE-20
Status
published
Products (4)
google/tensorflow
< 2.1.4
pypi/tensorflow
2.3.0 - 2.3.3PyPI
pypi/tensorflow-cpu
2.3.0 - 2.3.3PyPI
pypi/tensorflow-gpu
2.3.0 - 2.3.3PyPI
Published
May 14, 2021
Tracked Since
Feb 18, 2026