CVE-2021-37656

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description TensorFlow is an end-to-end open source platform for machine learning. In affected versions, an attacker can cause undefined behavior via binding a reference to null pointer in tf.raw ops.RaggedTensorToSparse. The implementation has an incomplete validation of the splits values: it does not check that they are in increasing order.

Recommendations For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider disabling the tf.raw ops.RaggedTensorToSparse function until a patch is available.