CVE-2021-29566

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description An attacker can write outside the bounds of heap allocated arrays by passing invalid arguments to tf.raw ops.Dilation2DBackpropInput. This is because the implementation does not validate before writing to the output array. The values for h out and w out are guaranteed to be in range for out backprop, but there are no similar guarantees relating h in max/w in max and in backprop.

Recommendations For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider restricting the use of tf.raw ops.Dilation2DBackpropInput until a patch is available.