How severe is CVE-2021-37682?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.1 out of 10.

What type of vulnerability is CVE-2021-37682?

This is classified as CWE-908, which is a common weakness in software security.

CVE-2021-37682

HIGH Year: 2021

CVSS v3 Score

7.1

High

CVSS v2 Score

3.6

Low

Weakness Type

CWE-908

View all →

Vulnerability Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions all TFLite operations that use quantization can be made to use unitialized values. [For example](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/depthwise_conv.cc#L198-L200). The issue stems from the fact that `quantization.params` is only valid if `quantization.type` is different that `kTfLiteNoQuantization`. However, these checks are missing in large parts of the code. We have patched the issue in GitHub commits 537bc7c723439b9194a358f64d871dd326c18887, 4a91f2069f7145aab6ba2d8cfe41be8a110c18a5 and 8933b8a21280696ab119b63263babdb54c298538. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

CVE-2019-13220

HIGH

CVSS:7.1(High)

Use of uninitialized stack variables in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a craft...

CWE-9082019

CVE-2020-15193

HIGH

CVSS:7.1(High)

In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glu...

CWE-9082020

CVE-2021-47101

HIGH

CVSS:7.1(High)

In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be unini...

CWE-9082021

CVE-2023-52842

HIGH

CVSS:7.1(High)

In the Linux kernel, the following vulnerability has been resolved: virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt() KMSAN reported the following uninit-value access issue: ==============...

CWE-9082023

CVE-2024-35849

HIGH

CVSS:7.1(High)

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logica...

CWE-9082024

CVE-2024-38381

HIGH

CVSS:7.1(High)

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in nci_rx_work syzbot reported the following uninit-value access issue [1] nci_rx_work() parses received ...

CWE-9082024

CVE-2021-37682

Vulnerability Description

Related Vulnerabilities

CVE-2019-13220

CVE-2020-15193

CVE-2021-47101

CVE-2023-52842

CVE-2024-35849

CVE-2024-38381