CVE-2021-37691
MEDIUMTensorFlow 2.3.0-2.3.4 - Denial of Service via Division by Zero in LSH Projection
Title source: llmDescription
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a division by zero error in LSH [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/lsh_projection.cc#L118). We have patched the issue in GitHub commit 0575b640091680cfb70f4dd93e70658de43b94f9. The fix will be included in TensorFlow 2.6.0. We will also cherrypick thiscommit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-27qf-jwm8-g7f3
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/commit/0575b640091680cfb70f4dd93e70658de43b94f9
Scores
CVSS v3
5.5
EPSS
0.0015
EPSS Percentile
4.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-369
Status
published
Products (6)
google/tensorflow
2.5.0
google/tensorflow
2.6.0 rc0 (3 CPE variants)
google/tensorflow
2.3.0 - 2.3.4
pypi/tensorflow
0 - 2.3.4PyPI
pypi/tensorflow-cpu
0 - 2.3.4PyPI
pypi/tensorflow-gpu
0 - 2.3.4PyPI
Published
Aug 12, 2021
Tracked Since
Feb 18, 2026