CVE-2021-37650

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description The implementation for tf.raw ops.ExperimentalDatasetToTFRecord and tf.raw ops.DatasetToTFRecord can trigger heap buffer overflow and segmentation fault. The implementation assumes that all records in the dataset are of string type, but there is no check for that, and examples given use numeric types.

Recommendations For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later, or apply the patch from GitHub commit e0b6e58c328059829c3eb968136f17aa72b6c876. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later, or apply the patch from GitHub commit e0b6e58c328059829c3eb968136f17aa72b6c876. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later, or apply the patch from GitHub commit e0b6e58c328059829c3eb968136f17aa72b6c876. As a temporary workaround, consider disabling the tf.raw ops.ExperimentalDatasetToTFRecord and tf.raw ops.DatasetToTFRecord functions until a patch is available.