AI Threat Alert
CVE-2021-29563
MEDIUMTensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by exploiting a `CHECK`-failure coming from the implementation of `tf.raw_ops.RFFT`....
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| tensorflow | pip | — | No patch |
| tensorflow | pip | — | No patch |
| tensorflow | pip | — | No patch |
| tensorflow | pip | — | No patch |
Severity & Risk
Recommended Action
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by exploiting a `CHECK`-failure coming from the implementation of `tf.raw_ops.RFFT`. Eigen code operating on an empty matrix can trigger on an assertion and will cause program termination. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References
- github.com/tensorflow/tensorflow/commit/31bd5026304677faa8a0b77602c6154171b9aec1 Patch 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-ph87-fvjr-v33w Exploit Patch 3rd Party
- github.com/tensorflow/tensorflow/commit/31bd5026304677faa8a0b77602c6154171b9aec1 Patch 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-ph87-fvjr-v33w Exploit Patch 3rd Party