Ying Wang

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** An attacker can trigger a denial of service via a segmentation fault in `tf.raw ops.MaxPoolGrad` caused by missing validation for the `orig input` and `orig output` tensors. The issue arises from incomplete fixes for a previous problem. **Recommendations** For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider disabling the `tf.raw ops.MaxPoolGrad` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw ops.MapStage`. The implementation does not check that the `key` input is a valid non-empty tensor. **Recommendations** For TensorFlow versions prior to 2.6.0, update to version 2.6.0 or later. For TensorFlow versions 2.5.1 and earlier, update to version 2.5.1 or later. For TensorFlow versions 2.4.3 and earlier, update to version 2.4.3 or later. For TensorFlow versions 2.3.4 and earlier, update to version 2.3.4 or later. As a temporary workaround, consider validating the `key` input to ensure it is a valid non-empty tensor before passing it to `tf.raw ops.MapStage`.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4 Description: Calling `tf.raw ops.RaggedTensorToVariant` with arguments specifying an invalid ragged tensor results in a null pointer dereference. The implementation of `RaggedTensorToVariant` operations does not validate that the ragged tensor argument is non-empty. Since `batched ragged` contains no elements, `batched ragged.splits` is a null vector, thus `batched ragged.splits(0)` will result in dereferencing `nullptr`. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, apply the cherrypicked commit or update to a later version. For TensorFlow version 2.3.3, apply the cherrypicked commit or update to a later version. For TensorFlow version 2.2.3, apply the cherrypicked commit or update to a later version. For TensorFlow version 2.1.4, apply the cherrypicked commit or update to a later version. As a temporary workaround, consider avoiding the use of `tf.raw ops.RaggedTensorToVariant` with invalid ragged tensors until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4 Description: The API of `tf.raw ops.SparseCross` allows combinations which would result in a `CHECK`-failure and denial of service. This is because the implementation is tricked to consider a tensor of type `tstring` which in fact contains integral elements. Fixing the type confusion by preventing mixing `DT STRING` and `DT INT64` types solves this issue. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. For TensorFlow version 2.4.2, apply the cherrypicked commit to resolve the issue. For TensorFlow version 2.3.3, apply the cherrypicked commit to resolve the issue. For TensorFlow version 2.2.3, apply the cherrypicked commit to resolve the issue. For TensorFlow version 2.1.4, apply the cherrypicked commit to resolve the issue. As a temporary workaround, consider restricting the use of the `tf.raw ops.SparseCross` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4 Description: Missing validation between arguments to `tf.raw ops.Conv3DBackprop*` operations can result in heap buffer overflows. This occurs because the implementation assumes that the `input`, `filter sizes`, and `out backprop` tensors have the same shape, as they are accessed in parallel. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, apply the patch from GitHub commit 8f37b52e1320d8d72a9529b2468277791a261197. For TensorFlow version 2.3.3, apply the patch from GitHub commit 8f37b52e1320d8d72a9529b2468277791a261197. For TensorFlow version 2.2.3, apply the patch from GitHub commit 8f37b52e1320d8d72a9529b2468277791a261197. For TensorFlow version 2.1.4, apply the patch from GitHub commit 8f37b52e1320d8d72a9529b2468277791a261197. As a temporary workaround, consider disabling the `tf.raw ops.Conv3DBackprop*` operations until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.1 and earlier TensorFlow versions 2.3.2 and earlier Description: Specifying a negative dense shape in `tf.raw ops.SparseCountSparseOutput` results in a segmentation fault being thrown out from the standard library as `std::vector` invariants are broken. This is because the implementation assumes the first element of the dense shape is always positive and uses it to initialize a `BatchedMap<T>` data structure. Ensuring that the `dense shape` argument is a valid tensor shape solves this issue. Recommendations: For TensorFlow versions prior to 2.5.0, update to TensorFlow 2.5.0 or later to resolve the issue. For TensorFlow versions 2.4.1 and earlier, update to TensorFlow 2.4.2 or later to resolve the issue. For TensorFlow versions 2.3.2 and earlier, update to TensorFlow 2.3.3 or later to resolve the issue. As a temporary workaround, ensure that the `dense shape` argument is a valid tensor shape, with all elements being non-negative, to prevent the segmentation fault.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4 Description: An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw ops.AddManySparseToTensorsMap`. This occurs because the implementation takes the values specified in `sparse shape` as dimensions for the output shape. The `TensorShape` constructor uses a `CHECK` operation which triggers when `InitDims` returns a non-OK status. This happens when adding a dimension from the argument results in overflow. The issue is due to a legacy implementation of the constructor and can be prevented by using `BuildTensorShapeBase` or `AddDimWithStatus` to handle overflows. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, apply the patch from GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c. For TensorFlow version 2.3.3, apply the patch from GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c. For TensorFlow version 2.2.3, apply the patch from GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c. For TensorFlow version 2.1.4, apply the patch from GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c. As a temporary workaround, consider avoiding the use of `tf.raw ops.AddManySparseToTensorsMap` with large `sparse shape` values until a patch is applied.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a `CHECK` fail in PNG encoding by providing an empty input tensor as the pixel data. This is because the implementation only validates that the total number of pixels in the image does not overflow, allowing an attacker to send an empty matrix for encoding. When calling `png::WriteImageToBuffer`, the first argument is `NULL`, triggering a `CHECK NOTNULL` and resulting in `abort` being called after printing the stacktrace. This allows an attacker to mount a denial of service attack. Recommendations: Update to TensorFlow 2.5.0 or later. For versions 2.4.2, 2.3.3, 2.2.3, and 2.1.4, apply the cherrypicked commit to fix the issue. As a temporary workaround, consider validating input tensors to ensure they are not empty before encoding.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a division by 0 in `tf.raw ops.Conv2DBackpropFilter`. This is because the implementation does a modulus operation where the divisor is controlled by the caller. The issue can be exploited by creating a specific input tensor and filter sizes, allowing an attacker to cause a division by zero error. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to version 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to version 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to version 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to version 2.1.4 or later. As a temporary workaround, consider avoiding the use of `tf.raw ops.Conv2DBackpropFilter` until a patch is applied.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a division by 0 in `tf.raw ops.Conv2DBackpropInput`. This is because the implementation does a division by a quantity that is controlled by the caller. The issue arises from the calculation of `size A`, `size B`, `size C`, and `work unit size` in the `conv grad input ops.h` file, which can lead to a division by zero. Recommendations: For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider avoiding the use of `tf.raw ops.Conv2DBackpropInput` until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a division by 0 in `tf.raw ops.Conv2D` because the implementation does a division by a quantity that is controlled by the caller. This issue can be exploited by providing a specially crafted input to the `tf.raw ops.Conv2D` function, which can cause a division by zero error. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. For TensorFlow versions 2.4.2 and earlier, update to version 2.4.2 or later to resolve the issue. For TensorFlow versions 2.3.3 and earlier, update to version 2.3.3 or later to resolve the issue. For TensorFlow versions 2.2.3 and earlier, update to version 2.2.3 or later to resolve the issue. For TensorFlow versions 2.1.4 and earlier, update to version 2.1.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `tf.raw ops.Conv2D` function with untrusted input until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a division by 0 in `tf.raw ops.QuantizedConv2D`. This is because the implementation does a division by a quantity that is controlled by the caller. The issue arises from the calculation of `patches per chunk`, which is based on `filter value count` and can be manipulated by the caller. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to version 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to version 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to version 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to version 2.1.4 or later. As a temporary workaround, consider avoiding the use of `tf.raw ops.QuantizedConv2D` until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a division by 0 in `tf.raw ops.QuantizedMul`. This is because the implementation does a division by a quantity that is controlled by the caller. The issue can be exploited by passing specific values to the `tf.raw ops.QuantizedMul` function, such as empty tensors or tensors with specific values. Recommendations: For TensorFlow versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider avoiding the use of the `tf.raw ops.QuantizedMul` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.1.4 through 2.4.2 Description: An attacker can trigger a heap buffer overflow in `tf.raw ops.QuantizedResizeBilinear` by manipulating input values so that float rounding results in off-by-one error in accessing image elements. This occurs because the implementation computes two integers (representing the upper and lower bounds for interpolation) by ceiling and flooring a floating point value. For some values of `in`, `interpolation->upper[i]` might be smaller than `interpolation->lower[i]`, which is an issue if `interpolation->upper[i]` is capped at `in size-1` as it means that `interpolation->lower[i]` points outside of the image. Then, in the interpolation code, this would result in heap buffer overflow. Recommendations: For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.1.4 through 2.4.2, update to the respective patched versions: 2.1.4, 2.2.3, 2.3.3, or 2.4.2. As a temporary workaround, consider restricting the use of the `tf.raw ops.QuantizedResizeBilinear` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a null pointer dereference by providing an invalid `permutation` to `tf.raw ops.SparseMatrixSparseCholesky`. This is because the implementation fails to properly validate the input arguments. The `ValidateInputs` function is called, but it does not properly handle validation failures, allowing the code to proceed with invalid inputs. The issue can be exploited by providing a specially crafted `permutation` argument to the `tf.raw ops.SparseMatrixSparseCholesky` function. Recommendations: For TensorFlow versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider avoiding the use of the `tf.raw ops.SparseMatrixSparseCholesky` function with untrusted input until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: The `tf.raw ops.Conv3DBackprop*` operations fail to validate that the input tensors are not empty, resulting in a division by 0 error. This occurs because the implementation does not check that the divisor used in computing the shard size is not zero. If an attacker controls the input sizes, they can trigger a denial of service via a division by zero error. Recommendations: For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider disabling the `tf.raw ops.Conv3DBackprop*` operations until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can force accesses outside the bounds of heap allocated arrays by passing in invalid tensor values to `tf.raw ops.RaggedCross`. This is because the implementation lacks validation for the user supplied arguments. Each of the above branches call a helper function after accessing array elements via a `* list[next *]` pattern, followed by incrementing the `next *` index. However, as there is no validation that the `next *` values are in the valid range for the corresponding `* list` arrays, this results in heap OOB reads. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to version 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to version 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to version 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to version 2.1.4 or later. As a temporary workaround, consider restricting the use of `tf.raw ops.RaggedCross` until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4 Description: An attacker can trigger a denial of service via a `CHECK` failure by passing an empty image to `tf.raw ops.DrawBoundingBoxes`. This is because the implementation uses `CHECK *` assertions instead of `OP REQUIRES` to validate user-controlled inputs. The `CHECK *` macros result in a crash if the condition is false, similar to `assert`. In this case, `height` is 0 from the `images` input, resulting in `max box row clamp` being negative and the assertion being falsified, followed by aborting program execution. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, update to a patched version that includes the fix. For TensorFlow version 2.3.3, update to a patched version that includes the fix. For TensorFlow version 2.2.3, update to a patched version that includes the fix. For TensorFlow version 2.1.4, update to a patched version that includes the fix. As a temporary workaround, consider avoiding the use of `tf.raw ops.DrawBoundingBoxes` with empty images until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw ops.SparseConcat`. This occurs because the implementation takes the values specified in `shapes[0]` as dimensions for the output shape. The `TensorShape` constructor uses a `CHECK` operation which triggers when `InitDims` returns a non-OK status, typically due to overflow when adding a dimension from the argument. This is a legacy implementation of the constructor, and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. Recommendations: For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider avoiding the use of `tf.raw ops.SparseConcat` with large input shapes until a patch is available.

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4 Description: A malicious user could trigger a division by 0 in the `Conv3D` implementation. The implementation does a modulo operation based on user-controlled input, and when the `filter` has a 0 as the fifth element, this results in a division by 0. Additionally, if the shape of the two tensors is not valid, an Eigen assertion can be triggered, resulting in a program crash. Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, apply the cherrypicked commit. For TensorFlow version 2.3.3, apply the cherrypicked commit. For TensorFlow version 2.2.3, apply the cherrypicked commit. For TensorFlow version 2.1.4, apply the cherrypicked commit. As a temporary workaround, consider disabling the `Conv3D` function until a patch is available. Avoid using the `filter` tensor with a 0 as the fifth element in the affected `Conv3D` implementation until the issue is resolved.