CVE-2021-37661

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow version 2.5.1 TensorFlow version 2.4.3 TensorFlow version 2.3.4

Description TensorFlow is an end-to-end open source platform for machine learning. In affected versions, an attacker can cause a denial of service in boosted trees create quantile stream resource by using negative arguments. The implementation does not validate that num streams only contains non-negative numbers, resulting in a crash from the standard library due to implicit conversion from a negative value to a large positive unsigned.

Recommendations Update to TensorFlow 2.6.0 or later to resolve the issue. For TensorFlow 2.5.1, update to a newer version that includes the fix. For TensorFlow 2.4.3, update to a newer version that includes the fix. For TensorFlow 2.3.4, update to a newer version that includes the fix. As a temporary workaround, consider validating the num streams argument to ensure it only contains non-negative numbers before calling boosted trees create quantile stream resource.