CVE-2021-29521: Segfault in SparseCountSparseOutput
2.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.01803%
CWE
Published
5/21/2021
Updated
10/28/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
tensorflow | pip | >= 2.3.0, < 2.3.3 | 2.3.3 |
tensorflow | pip | >= 2.4.0, < 2.4.2 | 2.4.2 |
tensorflow-cpu | pip | >= 2.3.0, < 2.3.3 | 2.3.3 |
tensorflow-cpu | pip | >= 2.4.0, < 2.4.2 | 2.4.2 |
tensorflow-gpu | pip | >= 2.3.0, < 2.3.3 | 2.3.3 |
tensorflow-gpu | pip | >= 2.4.0, < 2.4.2 | 2.4.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the code segment where 'num_batches' is derived directly from the first element of 'dense_shape' tensor (lines 199-213 in count_ops.cc). The unvalidated use of user-controlled input to initialize a std::vector-based structure violates std::vector's invariants when negative values are provided. The patched commit adds explicit validation for non-negative dense_shape elements, confirming this was the root cause. The function's direct handling of untrusted input and lack of pre-validation make it clearly vulnerable.