CVE-2021-37671

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description An attacker can cause undefined behavior via binding a reference to null pointer in tf.raw ops.Map* and tf.raw ops.OrderedMap* operations. The implementation has a check in place to ensure that indices is in ascending order, but does not check that indices is not empty.

Recommendations For TensorFlow versions prior to 2.6.0, update to version 2.6.0 or later. For TensorFlow versions 2.5.1 and earlier, update to version 2.5.1 or later, or apply the patch from GitHub commit 532f5c5a547126c634fefd43bbad1dc6417678ac. For TensorFlow versions 2.4.3 and earlier, update to version 2.4.3 or later, or apply the patch from GitHub commit 532f5c5a547126c634fefd43bbad1dc6417678ac. For TensorFlow versions 2.3.4 and earlier, update to version 2.3.4 or later, or apply the patch from GitHub commit 532f5c5a547126c634fefd43bbad1dc6417678ac. As a temporary workaround, consider avoiding the use of tf.raw ops.Map* and tf.raw ops.OrderedMap* operations with empty indices until a patch is available.