CVE-2021-29618
LOWTensorFlow < 2.1.4 - Denial of Service via tf.transpose with Complex Argument
Title source: llmDescription
TensorFlow is an end-to-end open source platform for machine learning. Passing a complex argument to `tf.transpose` at the same time as passing `conjugate=True` argument results in a crash. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
References (4)
Core 4
Core References
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xqfj-cr6q-pc8w
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/commit/1dc6a7ce6e0b3e27a7ae650bfc05b195ca793f88
Broken Link x_refsource_misc
https://github.com/tensorflow/issues/42105
Broken Link x_refsource_misc
https://github.com/tensorflow/issues/46973
Scores
CVSS v3
2.5
EPSS
0.0023
EPSS Percentile
13.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-755
Status
published
Products (4)
google/tensorflow
< 2.1.4
pypi/tensorflow
0 - 2.1.4PyPI
pypi/tensorflow-cpu
0 - 2.1.4PyPI
pypi/tensorflow-gpu
0 - 2.1.4PyPI
Published
May 14, 2021
Tracked Since
Feb 18, 2026