CVE-2019-16778 LOW

CVE-2019-16778: Heap buffer overflow in `UnsortedSegmentSum` in TensorFlow

Vendor Tensorflow
Product tensorflow
Weakness CWE-122
Published December 16, 2019
Last update August 5, 2024

CVSS base score

2.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

In TensorFlow before 1.15, a heap buffer overflow in UnsortedSegmentSum can be produced when the Index template argument is int32. In this case data_size and num_segments fields are truncated from int64 to int32 and can produce negative numbers, resulting in accessing out of bounds heap memory. This is unlikely to be exploitable and was detected and fixed internally in TensorFlow 1.15 and 2.0.

Key dates

02Disclosure timeline

December 16, 2019 CVE published
August 5, 2024 Record updated