CVE-2021-41202

MEDIUM

TensorFlow - Memory Corruption

Title source: llm

Description

TensorFlow is an open source platform for machine learning. In affected versions while calculating the size of the output within the `tf.range` kernel, there is a conditional statement of type `int64 = condition ? int64 : double`. Due to C++ implicit conversion rules, both branches of the condition will be cast to `double` and the result would be truncated before the assignment. This result in overflows. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

References (5)

[Third Party Advisory] https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xrqm-fpgr-6hhx

[Issue Tracking, Third Party Advisory] https://github.com/tensorflow/tensorflow/issues/46889

[Issue Tracking, Third Party Advisory] https://github.com/tensorflow/tensorflow/issues/46912

[Patch, Third Party Advisory] https://github.com/tensorflow/tensorflow/commit/1b0e0ec27e7895b9985076eab32445026ae5ca94

[Patch, Third Party Advisory] https://github.com/tensorflow/tensorflow/commit/6d94002a09711d297dbba90390d5482b76113899

View Patch ZIP pw:eip

Scores

CVSS v3 5.5

EPSS 0.0004

EPSS Percentile 10.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-681

Status published

Products (5)

google/tensorflow 2.7.0 rc0 (2 CPE variants)

google/tensorflow 2.4.0 - 2.4.4

pypi/tensorflow 2.6.0 - 2.6.1PyPI

pypi/tensorflow-cpu 2.6.0 - 2.6.1PyPI

pypi/tensorflow-gpu 2.6.0 - 2.6.1PyPI

Published Nov 05, 2021

Tracked Since Feb 18, 2026