CVE-2021-37648

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description The code for tf.raw ops.SaveV2 does not properly validate the inputs, allowing an attacker to trigger a null pointer dereference. The implementation uses ValidateInputs to check that the input arguments are valid, but the validation uses OP REQUIRES which does not finalize the kernel execution, making it equivalent to lacking the validation.

Recommendations For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later, or apply the patch from GitHub commit 9728c60e136912a12d99ca56e106b7cce7af5986. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later, or apply the patch from GitHub commit 9728c60e136912a12d99ca56e106b7cce7af5986. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later, or apply the patch from GitHub commit 9728c60e136912a12d99ca56e106b7cce7af5986. As a temporary workaround, consider disabling the tf.raw ops.SaveV2 function until a patch is available.