TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of concatenation is vulnerable to an integer overflow issue(https://github.com/tensorflow/tensorflow/blob/7b7352a724b690b11bfaae2cd54bc3907daf6285/tensorflow/lite/kernels/concatenation.cc#L70-L76). An attacker can craft a model such that the dimensions of one of the concatenation input overflow the values of `int`. TFLite uses `int` to represent tensor dimensions, whereas TF uses `int64`. Hence, valid TF models can trigger an integer overflow when converted to TFLite format. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-05-14T19:21:29

Updated: 2024-08-03T22:11:06.247Z

Reserved: 2021-03-30T00:00:00

Link: CVE-2021-29601

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2021-05-14T20:15:15.487

Modified: 2021-05-20T16:01:15.770

Link: CVE-2021-29601

cve-icon Redhat

No data.