Vulnerability Description
In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tensorflow | < 1.15.5 |
Related Weaknesses (CWE)
References
- https://github.com/tensorflow/tensorflow/commit/ace0c15a22f7f054abcc1f53eabbcb0aPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhxx-j73r-qpm2ExploitPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/ace0c15a22f7f054abcc1f53eabbcb0aPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhxx-j73r-qpm2ExploitPatchThird Party Advisory
FAQ
What is CVE-2020-26266?
CVE-2020-26266 is a vulnerability with a CVSS score of 4.4 (MEDIUM). In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default v...
How severe is CVE-2020-26266?
CVE-2020-26266 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26266?
Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.