CVE-2021-29554

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3

Description An attacker can cause a denial of service via a FPE runtime error in tf.raw ops.DenseCountSparseOutput. This is because the implementation computes a divisor value from user data but does not check that the result is 0 before doing the division. Since data is given by the values argument, num batch elements is 0. The issue can be exploited by providing specific input to the tf.raw ops.DenseCountSparseOutput function, such as empty values and weights arguments.

Recommendations For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. For TensorFlow version 2.4.2, apply the cherrypicked commit to resolve the issue. For TensorFlow version 2.3.3, apply the cherrypicked commit to resolve the issue. As a temporary workaround, consider avoiding the use of the tf.raw ops.DenseCountSparseOutput function with empty values and weights arguments until a patch is available.