CVE-2021-37668

MEDIUM

Google Tensorflow < 2.3.4 - Divide By Zero

Title source: rule

Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause denial of service in applications serving models using `tf.raw_ops.UnravelIndex` by triggering a division by 0. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/unravel_index_op.cc#L36) does not check that the tensor subsumed by `dims` is not empty. Hence, if one element of `dims` is 0, the implementation does a division by 0. We have patched the issue in GitHub commit a776040a5e7ebf76eeb7eb923bf1ae417dd4d233. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

References (2)

[Patch, Third Party Advisory] https://github.com/tensorflow/tensorflow/commit/a776040a5e7ebf76eeb7eb923bf1ae417dd4d233

[Third Party Advisory] https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2wmv-37vq-52g5

Scores

CVSS v3 5.5

EPSS 0.0004

EPSS Percentile 13.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-369

Status published

Affected Products (8)

google/tensorflow < 2.3.4

google/tensorflow

pypi/tensorflow < 2.3.4PyPI

pypi/tensorflow-cpu < 2.3.4PyPI

pypi/tensorflow-gpu < 2.3.4PyPI

Timeline

Published Aug 12, 2021

Tracked Since Feb 18, 2026