CVE-2021-29562

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4

Description An attacker can cause a denial of service by exploiting a CHECK-failure coming from the implementation of tf.raw ops.IRFFT. This issue can be triggered by causing Eigen code to operate on an empty matrix, which leads to program termination. The vulnerability was reported by Yakun Zhang and Ying Wang of Baidu X-Team.

Recommendations For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, apply the patch from GitHub commit 1c56f53be0b722ca657cbc7df461ed676c8642a2 or update to a later version. For TensorFlow version 2.3.3, apply the patch from GitHub commit 1c56f53be0b722ca657cbc7df461ed676c8642a2 or update to a later version. For TensorFlow version 2.2.3, apply the patch from GitHub commit 1c56f53be0b722ca657cbc7df461ed676c8642a2 or update to a later version. For TensorFlow version 2.1.4, apply the patch from GitHub commit 1c56f53be0b722ca657cbc7df461ed676c8642a2 or update to a later version. As a temporary workaround, consider avoiding the use of tf.raw ops.IRFFT with empty matrices until a patch is applied.