CVE-2021-41198

low-risk

Published 2021-11-05

TensorFlow is an open source platform for machine learning. In affected versions if `tf.tile` is called with a large input argument then the TensorFlow process will crash due to a `CHECK`-failure caused by an overflow. The number of elements in the output tensor is too much for the `int64_t` type and the overflow is detected via a `CHECK` statement. This aborts the process. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Tensorflow

Affected Vendors

Google

References (6)

Patch https://github.com/tensorflow/tensorflow/commit/9294094df6fea79271778eb7e7ae1bad...

Exploit https://github.com/tensorflow/tensorflow/issues/46911

Exploit https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2p25-55c9-h58q

Patch https://github.com/tensorflow/tensorflow/commit/9294094df6fea79271778eb7e7ae1bad...

Exploit https://github.com/tensorflow/tensorflow/issues/46911

Exploit https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2p25-55c9-h58q

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal