Yakun Zhang

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 100.0.4896.60 **Description** The issue is related to a use after free in the Extensions component, potentially allowing an attacker to exploit heap corruption via specific user interaction. This could lead to unauthorized access to protected information. The exploitation may involve convincing a user to install a malicious extension. **Recommendations** For versions prior to 100.0.4896.60, update to version 100.0.4896.60 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** An attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw ops.SparseFillEmptyRows`. The shape inference implementation does not validate that the input arguments are not empty tensors. **Recommendations** For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider avoiding the use of `tf.raw ops.SparseFillEmptyRows` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw ops.MapStage`. The implementation does not check that the `key` input is a valid non-empty tensor. **Recommendations** For TensorFlow versions prior to 2.6.0, update to version 2.6.0 or later. For TensorFlow versions 2.5.1 and earlier, update to version 2.5.1 or later. For TensorFlow versions 2.4.3 and earlier, update to version 2.4.3 or later. For TensorFlow versions 2.3.4 and earlier, update to version 2.3.4 or later. As a temporary workaround, consider validating the `key` input to ensure it is a valid non-empty tensor before passing it to `tf.raw ops.MapStage`.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** An attacker can craft a TFLite model that would trigger a division by zero error in LSH implementation. The issue arises from the lack of a check that the first dimension of the input is non-zero in the `RunningSignBit` function. **Recommendations** For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** The issue arises from TFLite's GatherNd implementation not supporting negative indices but lacking checks for this situation, allowing an attacker to read arbitrary data from the heap by crafting a model with negative values in `indices`. A similar issue exists in the Gather implementation. This can be exploited by carefully crafting a model, as demonstrated in a provided Python example, which utilizes the `tf.gather` function with negative `indices` values to read data from the heap. **Recommendations** For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider disabling the `GatherNd` and `Gather` implementations until a patch is available. Restrict access to the vulnerable TFLite kernel to minimize the risk of exploitation. Avoid using negative values in `indices` for the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** An attacker can trigger a denial of service via a segmentation fault in `tf.raw ops.MaxPoolGrad` caused by missing validation for the `orig input` and `orig output` tensors. The issue arises from incomplete fixes for a previous problem. **Recommendations** For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider disabling the `tf.raw ops.MaxPoolGrad` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow version 2.5.1 TensorFlow version 2.4.3 TensorFlow version 2.3.4 **Description** The issue is related to a division by 0 vulnerability in most implementations of convolution operators in TensorFlow, where an attacker can trigger a denial of service via a crash. The shape inference implementation is missing several validations before doing divisions and modulo operations. **Recommendations** For TensorFlow versions prior to 2.6.0, update to version 2.6.0 or later. For TensorFlow version 2.5.1, apply the patch from GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. For TensorFlow version 2.4.3, apply the patch from GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. For TensorFlow version 2.3.4, apply the patch from GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** The implementation of fully connected layers in TFLite is vulnerable to a division by zero error. An attacker can craft a model such that `filter->dims->data[1]` is 0, causing the error. The issue has been reported by members of the Aivul Team from Qihoo 360 and Yakun Zhang of Baidu Security. **Recommendations** For TensorFlow versions prior to 2.6.0, update to version 2.6.0 or later. For TensorFlow versions 2.5.1 and earlier, update to version 2.5.1 or later, or apply the patch from GitHub commit 718721986aa137691ee23f03638867151f74935f. For TensorFlow versions 2.4.3 and earlier, update to version 2.4.3 or later, or apply the patch from GitHub commit 718721986aa137691ee23f03638867151f74935f. For TensorFlow versions 2.3.4 and earlier, update to version 2.3.4 or later, or apply the patch from GitHub commit 718721986aa137691ee23f03638867151f74935f. As a temporary workaround, consider restricting the use of fully connected layers in TFLite until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** An attacker can craft a TFLite model that would trigger a null pointer dereference, resulting in a crash and denial of service. The implementation unconditionally dereferences a pointer. **Recommendations** For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. This is caused by the MLIR optimization of `L2NormalizeReduceAxis` operator. The implementation unconditionally dereferences a pointer to an iterator to a vector without checking that the vector has elements. **Recommendations** For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later, or apply the patch from GitHub commit d6b57f461b39fd1aa8c1b870f1b974aac3554955. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later, or apply the patch from GitHub commit d6b57f461b39fd1aa8c1b870f1b974aac3554955. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later, or apply the patch from GitHub commit d6b57f461b39fd1aa8c1b870f1b974aac3554955. As a temporary workaround, consider disabling the `L2NormalizeReduceAxis` operator until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** The issue is related to TensorFlow's TFLite, where the `expand dims.cc` file contains a vulnerability allowing the reading of one element outside the bounds of heap-allocated data. This occurs when the `axis` is a large negative value, causing the check after the `if` statement to pass and the `for` loop to read one element before the start of `input dims.data`. The vulnerability was reported by Yakun Zhang of Baidu Security. **Recommendations** For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider restricting the use of the `axis` parameter in the affected `expand dims.cc` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** The shape inference code for `tf.raw ops.Dequantize` has a vulnerability that could trigger a denial of service via a segfault if an attacker provides invalid arguments. The shape inference implementation uses `axis` to select between two different values for `minmax rank` which is then used to retrieve tensor dimensions. However, the code assumes that `axis` can be either `-1` or a value greater than `-1`, with no validation for other values. **Recommendations** For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider validating the `axis` value before passing it to `tf.raw ops.Dequantize` to prevent the denial of service via a segfault.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a division by 0 in `tf.raw ops.QuantizedConv2D`. This is because the implementation does a division by a quantity that is controlled by the caller. The issue arises from the calculation of `patches per chunk`, which is based on `filter value count` and can be manipulated by the caller. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to version 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to version 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to version 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to version 2.1.4 or later. As a temporary workaround, consider avoiding the use of `tf.raw ops.QuantizedConv2D` until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a division by 0 in `tf.raw ops.Conv2D` because the implementation does a division by a quantity that is controlled by the caller. This issue can be exploited by providing a specially crafted input to the `tf.raw ops.Conv2D` function, which can cause a division by zero error. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. For TensorFlow versions 2.4.2 and earlier, update to version 2.4.2 or later to resolve the issue. For TensorFlow versions 2.3.3 and earlier, update to version 2.3.3 or later to resolve the issue. For TensorFlow versions 2.2.3 and earlier, update to version 2.2.3 or later to resolve the issue. For TensorFlow versions 2.1.4 and earlier, update to version 2.1.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `tf.raw ops.Conv2D` function with untrusted input until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4 Description: The API of `tf.raw ops.SparseCross` allows combinations which would result in a `CHECK`-failure and denial of service. This is because the implementation is tricked to consider a tensor of type `tstring` which in fact contains integral elements. Fixing the type confusion by preventing mixing `DT STRING` and `DT INT64` types solves this issue. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. For TensorFlow version 2.4.2, apply the cherrypicked commit to resolve the issue. For TensorFlow version 2.3.3, apply the cherrypicked commit to resolve the issue. For TensorFlow version 2.2.3, apply the cherrypicked commit to resolve the issue. For TensorFlow version 2.1.4, apply the cherrypicked commit to resolve the issue. As a temporary workaround, consider restricting the use of the `tf.raw ops.SparseCross` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a division by 0 in `tf.raw ops.Conv2DBackpropInput`. This is because the implementation does a division by a quantity that is controlled by the caller. The issue arises from the calculation of `size A`, `size B`, `size C`, and `work unit size` in the `conv grad input ops.h` file, which can lead to a division by zero. Recommendations: For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider avoiding the use of `tf.raw ops.Conv2DBackpropInput` until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a division by 0 in `tf.raw ops.Conv2DBackpropFilter`. This is because the implementation does a modulus operation where the divisor is controlled by the caller. The issue can be exploited by creating a specific input tensor and filter sizes, allowing an attacker to cause a division by zero error. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to version 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to version 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to version 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to version 2.1.4 or later. As a temporary workaround, consider avoiding the use of `tf.raw ops.Conv2DBackpropFilter` until a patch is applied.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4 Description: A malicious user could trigger a division by 0 in the `Conv3D` implementation. The implementation does a modulo operation based on user-controlled input, and when the `filter` has a 0 as the fifth element, this results in a division by 0. Additionally, if the shape of the two tensors is not valid, an Eigen assertion can be triggered, resulting in a program crash. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, apply the cherrypicked commit. For TensorFlow version 2.3.3, apply the cherrypicked commit. For TensorFlow version 2.2.3, apply the cherrypicked commit. For TensorFlow version 2.1.4, apply the cherrypicked commit. As a temporary workaround, consider disabling the `Conv3D` function until a patch is available. Avoid using the `filter` tensor with a 0 as the fifth element in the affected `Conv3D` implementation until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4 Description: The issue arises when calling TF operations with tensors of non-numeric types, resulting in null pointer dereferences. This occurs due to a type confusion in the conversion from Python array to C++ array. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include: - The conversion from Python array to C++ array is vulnerable to a type confusion. - The `pyarray type` is `NPY VOID` but the `descr` field is such that `descr->field = NULL`, triggering a null dereference in `PyArrayDescr to TF DataType`. - API endpoints and variables are not explicitly mentioned, but the issue involves the use of `tf.random.truncated normal`, `tf.random.stateless truncated normal`, `tf.one hot`, `tf.range`, and `tf.raw ops.ResourceCountUpTo` functions. Recommendations: - For TensorFlow version 2.1.4, update to a newer version that includes the fix. - For TensorFlow version 2.2.3, update to a newer version that includes the fix. - For TensorFlow version 2.3.3, update to a newer version that includes the fix. - For TensorFlow version 2.4.2, update to a newer version that includes the fix. - For versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of non-numeric tensors with TF operations until a patch is available. Restrict access to the vulnerable conversion function to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4 Description: An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw ops.AddManySparseToTensorsMap`. This occurs because the implementation takes the values specified in `sparse shape` as dimensions for the output shape. The `TensorShape` constructor uses a `CHECK` operation which triggers when `InitDims` returns a non-OK status. This happens when adding a dimension from the argument results in overflow. The issue is due to a legacy implementation of the constructor and can be prevented by using `BuildTensorShapeBase` or `AddDimWithStatus` to handle overflows. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, apply the patch from GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c. For TensorFlow version 2.3.3, apply the patch from GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c. For TensorFlow version 2.2.3, apply the patch from GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c. For TensorFlow version 2.1.4, apply the patch from GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c. As a temporary workaround, consider avoiding the use of `tf.raw ops.AddManySparseToTensorsMap` with large `sparse shape` values until a patch is applied.