Vulnerability Description
In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tensorflow | < 1.15.5 |
Related Weaknesses (CWE)
References
- https://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m648-33qf-v3gpPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fPatchThird Party Advisory
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m648-33qf-v3gpPatchThird Party Advisory
FAQ
What is CVE-2020-26270?
CVE-2020-26270 is a vulnerability with a CVSS score of 4.4 (MEDIUM). In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a qu...
How severe is CVE-2020-26270?
CVE-2020-26270 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26270?
Check the references section above for vendor advisories and patch information. Affected products include: Google Tensorflow.