← back
CVE-2020-26266

Uninitialized memory access in Eigen types in TensorFlow

CVSS 4.4 MEDIUMEPSS 0.2%CWE-908
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.4EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
10 Dec 2020Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Affected products
tensorflow · tensorflow

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/tensorflow/tensorflow/commit/ace0c15a22f7f054abcc1f53eabbcb0a1239a9e2https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhxx-j73r-qpm2