TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, there is a potential for segfault / denial of service in TensorFlow by calling tf.compat.v1.*
ops which don't yet have support for quantized types, which was added after migration to TensorFlow 2.x. In these scenarios, since the kernel is missing, a nullptr
value is passed to ParseDimensionValue
for the py_value
argument. Then, this is dereferenced, resulting in segfault. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.
{ "cpes": [ "cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.7.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.7.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.8.0:-:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.8.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.8.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.9.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:google:tensorflow:2.9.0:rc1:*:*:*:*:*:*" ], "severity": "Medium" }