CVE-2021-41223

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.7.0 TensorFlow versions 2.6.1 and earlier TensorFlow versions 2.5.2 and earlier TensorFlow versions 2.4.4 and earlier

Description The implementation of FusedBatchNorm kernels in TensorFlow is vulnerable to a heap out-of-bounds (OOB) access. This issue can be exploited using the tf.raw ops.FusedBatchNormGrad function with specific parameters, such as y backprop, x, scale, reserve space 1, reserve space 2, epsilon, data format, and is training. The vulnerability has been reported by members of the Aivul Team from Qihoo 360.

Recommendations For versions prior to 2.7.0, update to TensorFlow 2.7.0 or later. For versions 2.6.1 and earlier, update to TensorFlow 2.6.1 or later. For versions 2.5.2 and earlier, update to TensorFlow 2.5.2 or later. For versions 2.4.4 and earlier, update to TensorFlow 2.4.4 or later. As a temporary workaround, consider disabling the FusedBatchNorm kernels until a patch is available.