CVE-2021-29539

low-risk
Published 2021-05-14

TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.ImmutableConst`(https://www.tensorflow.org/api_docs/python/tf/raw_ops/ImmutableConst) with a `dtype` of `tf.resource` or `tf.variant` results in a segfault in the implementation as code assumes that the tensor contents are pure scalars. We have patched the issue in 4f663d4b8f0bec1b48da6fa091a7d29609980fa4 and will release TensorFlow 2.5.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. If using `tf.raw_ops.ImmutableConst` in code, you can prevent the segfault by inserting a filter for the `dtype` argument.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.5/10 Low
LOCAL / HIGH complexity

Affected Products (1)

Affected Vendors

Google

References (4)

Patch https://github.com/tensorflow/tensorflow/commit/4f663d4b8f0bec1b48da6fa091a7d296...
Exploit https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g4h2-gqm3-c9wq
Patch https://github.com/tensorflow/tensorflow/commit/4f663d4b8f0bec1b48da6fa091a7d296...
Exploit https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g4h2-gqm3-c9wq
11
/ 100
low-risk
Severity 6/34 · Minimal
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal