CVE-2021-41211

Name of the Vulnerable Software and Affected Versions TensorFlow versions 2.6.1 through 2.6.1 TensorFlow versions prior to 2.7.0

Description The shape inference code for QuantizeV2 can trigger a read outside of bounds of heap allocated array. This occurs whenever axis is a negative value less than -1, resulting in accessing data before the start of a heap buffer. The code allows axis to be an optional argument, and if axis is less than -1, this results in a heap OOB read.

Recommendations For TensorFlow version 2.6.1, update to a newer version that includes the fix, such as TensorFlow 2.7.0. For TensorFlow versions prior to 2.7.0, update to TensorFlow 2.7.0 to resolve the issue. As a temporary workaround, consider restricting the use of the QuantizeV2 function with negative axis values until a patch is available.