CVE-2021-37666

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description An attacker can cause undefined behavior via binding a reference to null pointer in tf.raw ops.RaggedTensorToVariant. The implementation has an incomplete validation of the splits values, missing the case when the argument would be empty. This can be exploited by passing empty rt nested splits to tf.raw ops.RaggedTensorToVariant, as shown in the example:

import tensorflow as tf

tf.raw ops.RaggedTensorToVariant(
 rt nested splits=[],
 rt dense values=[1,2,3],
 batched input=True)

The issue is due to the missing validation of the rt nested splits argument.

Recommendations For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider validating the rt nested splits argument before passing it to tf.raw ops.RaggedTensorToVariant to prevent empty values.