CVE-2021-41195

MEDIUM

TensorFlow - DoS

Title source: llm
STIX 2.1

Description

TensorFlow is an open source platform for machine learning. In affected versions the implementation of `tf.math.segment_*` operations results in a `CHECK`-fail related abort (and denial of service) if a segment id in `segment_ids` is large. This is similar to CVE-2021-29584 (and similar other reported vulnerabilities in TensorFlow, localized to specific APIs): the implementation (both on CPU and GPU) computes the output shape using `AddDim`. However, if the number of elements in the tensor overflows an `int64_t` value, `AddDim` results in a `CHECK` failure which provokes a `std::abort`. Instead, code should use `AddDimWithStatus`. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

References (4)

Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/issues/46888
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/pull/51733

Scores

CVSS v3 5.5
EPSS 0.0004
EPSS Percentile 11.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-190
Status published
Products (4)
google/tensorflow < 2.4.4
pypi/tensorflow 2.6.0 - 2.6.1PyPI
pypi/tensorflow-cpu 2.6.0 - 2.6.1PyPI
pypi/tensorflow-gpu 2.6.0 - 2.6.1PyPI
Published Nov 05, 2021
Tracked Since Feb 18, 2026