CVE-2021-37663

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description Due to incomplete validation in tf.raw ops.QuantizeV2, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap allocated arrays. The implementation has some validation but does not check that min range and max range both have the same non-zero number of elements. If axis is provided, then validation should check that it is a value in range for the rank of input tensor and then the lengths of min range and max range inputs match the axis dimension of the input tensor.

Recommendations For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider disabling the tf.raw ops.QuantizeV2 function until a patch is available. Restrict access to the tf.raw ops.QuantizeV2 function to minimize the risk of exploitation. Avoid using the min range and max range parameters in the affected API endpoint until the issue is resolved.