CVE-2021-29542

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description An attacker can cause a heap buffer overflow by passing crafted inputs to tf.raw ops.StringNGrams. This is because the implementation fails to consider corner cases where input would be split in such a way that the generated tokens should only contain padding elements. If input is such that num tokens is 0, then, for data start index=0 (when left padding is present), the marked line would result in reading data[-1].

Recommendations For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider avoiding the use of tf.raw ops.StringNGrams until a patch is available.