CVE-2021-41221

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.7.0 TensorFlow versions 2.6.1 and earlier TensorFlow versions 2.5.2 and earlier TensorFlow versions 2.4.4 and earlier

Description The shape inference code for the Cudnn* operations in TensorFlow can be tricked into accessing invalid memory, via a heap buffer overflow. This occurs because the ranks of the input, input h, and input c parameters are not validated, but code assumes they have certain values.

Recommendations For versions prior to 2.7.0, update to TensorFlow 2.7.0 or later. For versions 2.6.1 and earlier, update to TensorFlow 2.6.1 or later. For versions 2.5.2 and earlier, update to TensorFlow 2.5.2 or later. For versions 2.4.4 and earlier, update to TensorFlow 2.4.4 or later. As a temporary workaround, consider restricting the use of the Cudnn* operations until a patch is available. Restrict access to the input, input h, and input c parameters to minimize the risk of exploitation.