CVE-2021-29538

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description: An attacker can cause a division by zero to occur in Conv2DBackpropFilter. This is because the implementation computes a divisor based on user-provided data, specifically the shape of the tensors given as arguments. If all shapes are empty, then work unit size is 0, and since there is no check for this case before division, this results in a runtime exception, with potential to be abused for a denial of service.

Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, update to version 2.4.2 or later. For TensorFlow version 2.3.3, update to version 2.3.3 or later. For TensorFlow version 2.2.3, update to version 2.2.3 or later. For TensorFlow version 2.1.4, update to version 2.1.4 or later. As a temporary workaround, consider avoiding the use of Conv2DBackpropFilter with empty shapes until a patch is available.