CVE-2021-29613

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description Incomplete validation in tf.raw ops.CTCLoss allows an attacker to trigger an out-of-bounds read from the heap, a heap buffer overflow, or a null pointer dereference. This issue affects TensorFlow and can be exploited by providing specially crafted input to the tf.raw ops.CTCLoss function.

Recommendations For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider disabling the tf.raw ops.CTCLoss function until a patch is available. Restrict access to the tf.raw ops.CTCLoss function to minimize the risk of exploitation. Avoid using the inputs, labels indices, labels values, and sequence length parameters in the affected API endpoint until the issue is resolved.