CVE-2021-37673
MEDIUMTensorFlow 2.3.0-2.3.3 - Denial of Service via MapStage CHECK-fail
Title source: llmDescription
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.MapStage`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/map_stage_op.cc#L513) does not check that the `key` input is a valid non-empty tensor. We have patched the issue in GitHub commit d7de67733925de196ec8863a33445b73f9562d1d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-278g-rq84-9hmg
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/commit/d7de67733925de196ec8863a33445b73f9562d1d
Scores
CVSS v3
5.5
EPSS
0.0015
EPSS Percentile
5.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (6)
google/tensorflow
2.5.0
google/tensorflow
2.6.0 rc0 (3 CPE variants)
google/tensorflow
2.3.0 - 2.3.4
pypi/tensorflow
0 - 2.3.4PyPI
pypi/tensorflow-cpu
0 - 2.3.4PyPI
pypi/tensorflow-gpu
0 - 2.3.4PyPI
Published
Aug 12, 2021
Tracked Since
Feb 18, 2026