CVE-2021-29569

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description The implementation of tf.raw ops.MaxPoolGradWithArgmax can cause reads outside of bounds of heap allocated data if an attacker supplies specially crafted inputs. This occurs because the implementation assumes that the input min and input max tensors have at least one element. If the tensors are empty, accessing even the 0th element is a read outside the bounds.

Recommendations For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to version 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to version 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to version 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to version 2.1.4 or later. As a temporary workaround, consider validating the input min and input max tensors to ensure they are not empty before passing them to tf.raw ops.MaxPoolGradWithArgmax.