Miggo Logo

CVE-2021-37644: `std::abort` raised from `TensorListReserve`

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.00644%
Published
8/25/2021
Updated
11/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip< 2.3.42.3.4
tensorflowpip>= 2.4.0, < 2.4.32.4.3
tensorflowpip= 2.5.02.5.1
tensorflow-cpupip< 2.3.42.3.4
tensorflow-cpupip>= 2.4.0, < 2.4.32.4.3
tensorflow-cpupip= 2.5.02.5.1
tensorflow-gpupip< 2.3.42.3.4
tensorflow-gpupip>= 2.4.0, < 2.4.32.4.3
tensorflow-gpupip= 2.5.02.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from TensorListReserve's Compute method in list_kernels.cc, which lacked validation of the num_elements input parameter. The unvalidated input was passed directly to std::vector::resize(), which cannot handle negative sizes. The patch explicitly adds an OP_REQUIRES check for non-negative values, confirming this was the vulnerable code path. The function's role in processing user-controlled input and the direct call to resize() make this identification unambiguous.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Provi*in* * n***tiv* *l*m*nt to `num_*l*m*nts` list *r*um*nt o* `t*.r*w_ops.T*nsorListR*s*rv*` **us*s t** runtim* to **ort t** pro**ss *u* to r**llo**tin* * `st*::v**tor` to **v* * n***tiv* num**r o* *l*m*nts: ```pyt*on import t*nsor*low

Reasoning

T** vuln*r**ility st*ms *rom T*nsorListR*s*rv*'s *omput* m*t*o* in list_k*rn*ls.**, w*i** l**k** v*li**tion o* t** num_*l*m*nts input p*r*m*t*r. T** unv*li**t** input w*s p*ss** *ir**tly to st*::v**tor::r*siz*(), w*i** **nnot **n*l* n***tiv* siz*s. T