CVE-2021-29546

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.1.4 through 2.4.2

Description An attacker can trigger an integer division by zero undefined behavior in tf.raw ops.QuantizedBiasAdd. This is because the implementation of the Eigen kernel does a division by the number of elements of the smaller input without checking that this is not zero. The issue can be triggered with a specific input, such as an empty tensor, which causes the division by zero.

Recommendations For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.1.4, update to version 2.1.4 with the cherrypicked commit. For TensorFlow version 2.2.3, update to version 2.2.3 with the cherrypicked commit. For TensorFlow version 2.3.3, update to version 2.3.3 with the cherrypicked commit. For TensorFlow version 2.4.2, update to version 2.4.2 with the cherrypicked commit. As a temporary workaround, consider avoiding the use of tf.raw ops.QuantizedBiasAdd until a patch is available.