CVE-2021-29544

Name of the Vulnerable Software and Affected Versions TensorFlow versions 2.4.2 through 2.4.x and versions prior to 2.5.0

Description An attacker can trigger a denial of service via a CHECK-fail in tf.raw ops.QuantizeAndDequantizeV4Grad. This is because the implementation does not validate the rank of the input * tensors, resulting in the tensors being passed as they are to QuantizeAndDequantizePerChannelGradientImpl. However, the vec<T> method requires the rank to be 1 and triggers a CHECK failure otherwise.

Recommendations For versions 2.4.2, update to version 2.5.0 or later to resolve the issue. For versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of tf.raw ops.QuantizeAndDequantizeV4Grad until a patch is available.