CVE-2021-41211
TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `QuantizeV2` can trigger a read outside of bounds of heap allocated array. This occurs whenever `axis` is a negative value less than `-1`. In this case, we are accessing data before the start of a heap buffer. The code allows `axis` to be an optional argument (`s` would contain an `error::NOT_FOUND` error code). Otherwise, it assumes that `axis` is a valid index into the dimensions of the `input` tensor. If `axis` is less than `-1` then this results in a heap OOB read. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, as this version is the only one that is also affected.
EPSS 0.02% · 5.5th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | tensorflow | 2.6.0 |
| Bitnami | tensorflow | 2.6.0 |
Exploit Intelligence
Timeline
- Nov 5, 2021 CVE Published
- Nov 6, 2021 EPSS Score
- Jan 1, 2022 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 25, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jun 17, 2022 EPSS Score
- Aug 12, 2022 EPSS Score
- Oct 7, 2022 EPSS Score
- Dec 2, 2022 EPSS Score
- Jan 27, 2023 EPSS Score
- Mar 7, 2023 EPSS Score