CVE-2021-41223: 
Python vulnerability analysis and mitigation

TensorFlow, an open source platform for machine learning, was found to contain a vulnerability in the implementation of FusedBatchNorm kernels (CVE-2021-41223). The vulnerability was discovered in September 2021 and affects versions prior to TensorFlow 2.7.0. The issue was identified as a heap out-of-bounds (OOB) access vulnerability in the FusedBatchNorm kernels implementation (GitHub Advisory).

The vulnerability is classified as a heap out-of-bounds read (CWE-125) with a CVSS v3.1 Base Score of 7.1 (HIGH). The vulnerability requires local access with low attack complexity and low privileges, without requiring user interaction. The attack vector is local (AV:L), with low attack complexity (AC:L) and low privileges required (PR:L). The scope is unchanged (S:U), with high confidentiality impact (C:H), no integrity impact (I:N), and high availability impact (A:H) (NVD).

The vulnerability could lead to heap out-of-bounds access, potentially allowing an attacker to read sensitive information from memory or cause program crashes. The impact is particularly significant as it affects the FusedBatchNorm operation, which is commonly used in machine learning models (GitHub Advisory).

The vulnerability has been patched in multiple TensorFlow versions: 2.7.0, 2.6.1, 2.5.2, and 2.4.4. Users are advised to upgrade to these patched versions. The fix was implemented through GitHub commit aab9998916c2ffbd8f0592059fad352622f89cda, which adds shape checks to FusedBatchNorm kernels (GitHub Advisory).