CVE-2021-41202

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.7.0 TensorFlow versions 2.6.1 and earlier TensorFlow versions 2.5.2 and earlier TensorFlow versions 2.4.4 and earlier

Description The issue arises from a conditional statement within the tf.range kernel, where both branches of the condition are cast to double due to C++ implicit conversion rules, resulting in truncation before assignment and leading to overflows. This can cause crashes when the start or end point of tf.range are too large. The estimated number of potentially affected devices worldwide is not available.

Recommendations For versions prior to 2.7.0, update to TensorFlow 2.7.0 or later. For versions 2.6.1 and earlier, update to TensorFlow 2.6.1 or later. For versions 2.5.2 and earlier, update to TensorFlow 2.5.2 or later. For versions 2.4.4 and earlier, update to TensorFlow 2.4.4 or later. As a temporary workaround, consider avoiding the use of tf.range with large start or end points until a patch is available. Restrict access to the tf.range kernel to minimize the risk of exploitation.