CVE-2020-26269

Name of the Vulnerable Software and Affected Versions TensorFlow versions 2.4.0rc*

Description The general implementation for matching filesystem paths to globbing pattern in TensorFlow is vulnerable to an access out of bounds of the array holding the directories. This issue arises due to unverified invariants and preconditions in the parallel implementation of GetMatchingPaths. The vulnerability can cause a crash due to an out of bounds read under certain scenarios, such as when using tf.io.gfile.glob('/tmp/x/') on a directory containing a single file.

Recommendations For TensorFlow versions 2.4.0rc*, update to version 2.4.0 to resolve the issue. As a temporary workaround, consider avoiding the use of tf.io.gfile.glob() on directories with specific patterns that may trigger the out of bounds access until the patch is applied.