CVE-2021-41221: 
Python vulnerability analysis and mitigation

TensorFlow, an open source platform for machine learning, disclosed a vulnerability (CVE-2021-41221) in November 2021. The vulnerability affects versions prior to 2.7.0, where the shape inference code for the Cudnn* operations could be tricked into accessing invalid memory through a heap buffer overflow. The issue was discovered by members of the Aivul Team from Qihoo 360 (GitHub Advisory).

The vulnerability stems from insufficient validation of input parameters in the Cudnn* operations. Specifically, the ranks of the input, input_h, and input_c parameters are not validated before use, while the code assumes they have certain values. The code attempts to access dimensions of these inputs assuming rank >= 2 for input_shape and rank >= 3 for input_h_shape, which can lead to invalid memory access (GitHub Advisory). The vulnerability has been assigned a CVSS v2.0 base score of 4.6 (Medium) (NVD).

When exploited, this vulnerability can lead to heap buffer overflow, which could result in program crashes or potential remote code execution. The vulnerability affects TensorFlow versions 2.4.0 through 2.6.0, and the pre-release versions of 2.7.0 (rc0 and rc1) (NVD).

The vulnerability has been patched in multiple versions: TensorFlow 2.7.0, 2.6.1, 2.5.2, and 2.4.4. The fix involves adding proper rank validation checks for the input tensors. Users are advised to upgrade to these patched versions. The fix was implemented in GitHub commit af5fcebb37c8b5d71c237f4e59c6477015c78ce6 (GitHub Advisory).