Miggo Logo

CVE-2021-41195: Crash in `tf.math.segment_*` operations

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.10439%
Published
11/10/2021
Updated
11/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip>= 2.6.0, < 2.6.12.6.1
tensorflowpip>= 2.5.0, < 2.5.22.5.2
tensorflowpip< 2.4.42.4.4
tensorflow-cpupip>= 2.6.0, < 2.6.12.6.1
tensorflow-cpupip>= 2.5.0, < 2.5.22.5.2
tensorflow-cpupip< 2.4.42.4.4
tensorflow-gpupip>= 2.6.0, < 2.6.12.6.1
tensorflow-gpupip>= 2.5.0, < 2.5.22.5.2
tensorflow-gpupip< 2.4.42.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of TensorShape::set_dim (which internally uses AddDim) in segment reduction operations. AddDim lacks overflow checks and triggers a fatal CHECK failure when segment_ids produce large output dimensions. The patched commit explicitly replaces set_dim with SetDimWithStatus (which uses AddDimWithStatus) in both CPU and GPU implementations in segment_reduction_ops_impl.h, confirming these functions as the vulnerable points. The affected code paths are directly identified in the provided diff.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** impl*m*nt*tion o* `t*.m*t*.s**m*nt_*` op*r*tions r*sults in * `****K`-**il r*l*t** **ort (*n* **ni*l o* s*rvi**) i* * s**m*nt i* in `s**m*nt_i*s` is l*r**. ```pyt*on import t*nsor*low *s t* t*.m*t*.s**m*nt_m*x(**t*=np.on*s((*,**,*)),

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* T*nsorS**p*::s*t_*im (w*i** int*rn*lly us*s ****im) in s**m*nt r**u*tion op*r*tions. ****im l**ks ov*r*low ****ks *n* tri***rs * **t*l ****K **ilur* w**n s**m*nt_i*s pro*u** l*r** output *im*nsions. T** p*t****