Home > Vulnerability Database > CVE-2020-26271

Mend.io Vulnerability Database

CVE-2020-26271

Good to know:

Date: December 10, 2020

In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, there is no check that the indices point to inside of the arrays they index into. Thus, this can result in accessing data out of bounds of the corresponding heap allocated arrays. In most scenarios, this can manifest as unitialized data access, but if the index points far away from the boundaries of the arrays this can be used to leak addresses from the library. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.

Language: C++

Severity Score

4.4

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-26271

Url: https://github.com/tensorflow/tensorflow/commit/0cc38aaa4064fd9e79101994ce9872c6d91f816b

Url: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q263-fvxm-m5mw

Url: https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2020-337.yaml

Url: https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2020-257.yaml

Url: https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2020-302.yaml

Url: https://www.mend.io/vulnerability-database/CVE-2020-26271

Severity Score

4.4

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Use of Uninitialized Resource

CWE-908

Top Fix

Upgrade Version

Upgrade to version tensorflow - 1.15.5;tensorflow - 2.0.4;tensorflow - 2.1.3;tensorflow - 2.2.2;tensorflow - 2.3.2;tensorflow-cpu - 2.1.3;tensorflow-cpu - 2.2.2;tensorflow-cpu - 2.3.2;tensorflow-gpu - 1.15.5;tensorflow-gpu - 2.0.4;tensorflow-gpu - 2.1.3;tensorflow-gpu - 2.2.2;tensorflow-gpu - 2.3.2

Learn More

CVSS v3.1

Base Score:	4.4
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	LOW

CVSS v2

Base Score:	2.1
Access Vector (AV):	LOCAL
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-26271

Good to know:

Date: December 10, 2020

Language: C++

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?