CVE-2021-29551

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description The implementation of MatrixTriangularSolve fails to terminate kernel execution if one validation condition fails, allowing malicious attackers to trigger an out of bounds read. This issue arises because OP REQUIRES only sets the status to a non-OK value and calls return, but does not interrupt execution. As a result, the initialization of the bcast object is done with invalid data, resulting in a heap out of bounds read.

Recommendations For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. For TensorFlow versions 2.4.2 and earlier, update to version 2.4.2 or later to resolve the issue. For TensorFlow versions 2.3.3 and earlier, update to version 2.3.3 or later to resolve the issue. For TensorFlow versions 2.2.3 and earlier, update to version 2.2.3 or later to resolve the issue. For TensorFlow versions 2.1.4 and earlier, update to version 2.1.4 or later to resolve the issue. As a temporary workaround, consider disabling the MatrixTriangularSolve function until a patch is available.