CVE-2021-41220

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.7.0 TensorFlow version 2.6.1

Description TensorFlow is an open source platform for machine learning. The async implementation of CollectiveReduceV2 suffers from a memory leak and a use after free due to asynchronous computation and accessing objects that have been std::move()d from.

Recommendations For versions prior to 2.7.0, update to TensorFlow 2.7.0 to resolve the issue. For version 2.6.1, apply the cherrypicked commit to resolve the issue. As a temporary workaround, consider disabling the CollectiveReduceV2 function until a patch is available.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

BIT-TENSORFLOW-2021-41220

CVE-2021-41220

GHSA-GPFH-JVF9-7WG5

OPENSUSE-SU-2024:12116-1

PYSEC-2021-412

PYSEC-2021-629

PYSEC-2021-827

Affected Products

Tensorflow

CVE-2021-41220

Weakness Enumeration

Related Identifiers

Affected Products

References · 15