CVE-2021-29586: Division by zero in optimized pooling implementations in TFLite
2.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.0254%
CWE
Published
5/21/2021
Updated
11/13/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
tensorflow | pip | < 2.1.4 | 2.1.4 |
tensorflow | pip | >= 2.2.0, < 2.2.3 | 2.2.3 |
tensorflow | pip | >= 2.3.0, < 2.3.3 | 2.3.3 |
tensorflow | pip | >= 2.4.0, < 2.4.2 | 2.4.2 |
tensorflow-cpu | pip | < 2.1.4 | 2.1.4 |
tensorflow-cpu | pip | >= 2.2.0, < 2.2.3 | 2.2.3 |
tensorflow-cpu | pip | >= 2.3.0, < 2.3.3 | 2.3.3 |
tensorflow-cpu | pip | >= 2.4.0, < 2.4.2 | 2.4.2 |
tensorflow-gpu | pip | < 2.1.4 | 2.1.4 |
tensorflow-gpu | pip | >= 2.2.0, < 2.2.3 | 2.2.3 |
tensorflow-gpu | pip | >= 2.3.0, < 2.3.3 | 2.3.3 |
tensorflow-gpu | pip | >= 2.4.0, < 2.4.2 | 2.4.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing validation of stride parameters in the GenericPrepare function. The commit 5f7975d explicitly adds TF_LITE_ENSURE checks for stride values in this function, and the vulnerability description identifies ComputePaddingHeightWidth usage with unvalidated strides. Since GenericPrepare is the entry point for pooling operations and lacked these critical checks, it is the clear vulnerable function.