CVE-2021-41196: 
Python vulnerability analysis and mitigation

TensorFlow, an open source platform for machine learning, disclosed a vulnerability (CVE-2021-41196) where the Keras pooling layers could trigger a segmentation fault under specific conditions. The vulnerability was discovered through a GitHub issue and publicly disclosed on November 4, 2021. The issue affects TensorFlow versions prior to 2.7.0, including versions 2.4.x, 2.5.x, and 2.6.x (GitHub Advisory).

The vulnerability occurs in TensorFlow's implementation of pooling operations where the values in the sliding window are not properly validated to be strictly positive. Specifically, the issue manifests when the size of the pool is 0 or if a dimension is negative in the Keras pooling layers. The vulnerability received a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause the application to crash through a segmentation fault. The issue primarily affects the availability of the system, with no direct impact on confidentiality or integrity. The vulnerability requires local access to exploit (GitHub Advisory).

The fix was included in TensorFlow 2.7.0 and backported to versions 2.6.1, 2.5.2, and 2.4.4. The patch adds validation to ensure that all dimensions of the sliding window ksize are strictly positive. Users are advised to upgrade to these patched versions to resolve the vulnerability (GitHub Advisory).