CVE-2021-29604

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description The TFLite implementation of hashtable lookup in TensorFlow is vulnerable to a division by zero error. An attacker can craft a model such that the values's first dimension would be 0, leading to this error. The issue is related to the calculation of num rows and row bytes in the hashtable lookup function.

Recommendations For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later to resolve the issue. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later to resolve the issue. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later to resolve the issue. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later to resolve the issue. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the hashtable lookup function in TFLite until a patch is available.