CVE-2020-26266

Public Exploit

Uninitialized memory access in Eigen types in TensorFlow

Description

In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.

References

Link	Tags
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhxx-j73r-qpm2	patch third party advisory exploit
https://github.com/tensorflow/tensorflow/commit/ace0c15a22f7f054abcc1f53eabbcb0a1239a9e2	third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2020-26266?: CVE-2020-26266 has been scored as a medium severity vulnerability.
How to fix CVE-2020-26266?: To fix CVE-2020-26266, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-26266 being actively exploited in the wild?: It is possible that CVE-2020-26266 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-26266?: CVE-2020-26266 affects tensorflow tensorflow.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-908 – Use of Uninitialized Resource

References

Frequently Asked Questions