CVE-2021-37682

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier

Description The issue affects all TFLite operations that use quantization, allowing them to use uninitialized values. This stems from missing checks for quantization.params validity, which is only valid if quantization.type is different from kTfLiteNoQuantization. The problem arises from the lack of these checks in large parts of the code.

Recommendations For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider restricting the use of quantization in TFLite operations until a patch is available.