CVE-2021-37643

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description The issue occurs when a user does not provide a valid padding value to tf.raw ops.MatrixDiagPartOp, triggering a null pointer dereference if the input is empty or producing invalid behavior by ignoring all values after the first. The implementation reads the first value from a tensor buffer without checking if the tensor has values to read from.

Recommendations For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider validating the input to tf.raw ops.MatrixDiagPartOp to ensure a valid padding value is provided.