CVE-2021-37652

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description The implementation for tf.raw ops.BoostedTreesCreateEnsemble can result in a use after free error if an attacker supplies specially crafted arguments. This occurs due to a reference counted resource being decremented when initialization fails, but later refactoring changed the resource to a smart pointer, leading to a double-free process where members of the resource object are accessed after being freed.

Recommendations For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, cherrypick the commit 5ecec9c6fbdbc6be03295685190a45e7eee726ab to fix the issue. For versions 2.4.3 and earlier, cherrypick the commit 5ecec9c6fbdbc6be03295685190a45e7eee726ab to fix the issue. For versions 2.3.4 and earlier, cherrypick the commit 5ecec9c6fbdbc6be03295685190a45e7eee726ab to fix the issue. As a temporary workaround, consider avoiding the use of tf.raw ops.BoostedTreesCreateEnsemble until a patch is available.