Google Software and search

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29618 5.5 - Medium - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. Passing a complex argument to `tf.transpose` at the same time as passing `conjugate=True` argument results in a crash. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Improper Handling of Exceptional Conditions

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29617 5.5 - Medium - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via `CHECK`-fail in `tf.strings.substr` with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Improper Handling of Exceptional Conditions

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29616 7.8 - High - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. The implementation of TrySimplify(https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/grappler/optimizers/arithmetic_optimizer.cc#L390-L401) has undefined behavior due to dereferencing a null pointer in corner cases that result in optimizing a node with no inputs. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

NULL Pointer Dereference

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29610 7.8 - High - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. The validation in `tf.raw_ops.QuantizeAndDequantizeV2` allows invalid values for `axis` argument:. The validation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L74-L77) uses `||` to mix two different conditions. If `axis_ < -1` the condition in `OP_REQUIRES` will still be true, but this value of `axis_` results in heap underflow. This allows attackers to read/write to other data on the heap. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Improper Initialization

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29608 7.8 - High - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.RaggedTensorToTensor`, an attacker can exploit an undefined behavior if input arguments are empty. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L356-L360) only checks that one of the tensors is not empty, but does not check for the other ones. There are multiple `DCHECK` validations to prevent heap OOB, but these are no-op in release builds, hence they don't prevent anything. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Incorrect Calculation of Buffer Size

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29540 7.8 - High - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow to occur in `Conv2DBackpropFilter`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L495-L497) computes the size of the filter tensor but does not validate that it matches the number of elements in `filter_sizes`. Later, when reading/writing to this buffer, code uses the value computed here, instead of the number of elements in the tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Memory Corruption

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29539 5.5 - Medium - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.ImmutableConst`(https://www.tensorflow.org/api_docs/python/tf/raw_ops/ImmutableConst) with a `dtype` of `tf.resource` or `tf.variant` results in a segfault in the implementation as code assumes that the tensor contents are pure scalars. We have patched the issue in 4f663d4b8f0bec1b48da6fa091a7d29609980fa4 and will release TensorFlow 2.5.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. If using `tf.raw_ops.ImmutableConst` in code, you can prevent the segfault by inserting a filter for the `dtype` argument.

Incorrect Conversion between Numeric Types

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29538 5.5 - Medium - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a division by zero to occur in `Conv2DBackpropFilter`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L513-L522) computes a divisor based on user provided data (i.e., the shape of the tensors given as arguments). If all shapes are empty then `work_unit_size` is 0. Since there is no check for this case before division, this results in a runtime exception, with potential to be abused for a denial of service. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Divide By Zero

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29537 7.8 - High - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedResizeBilinear` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/50711818d2e61ccce012591eeb4fdf93a8496726/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L705-L706) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Memory Corruption

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29536 7.8 - High - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedReshape` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a324ac84e573fba362a5e53d4e74d5de6729933e/tensorflow/core/kernels/quantized_reshape_op.cc#L38-L55) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Memory Corruption

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29535 7.8 - High - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedMul` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/87cf4d3ea9949051e50ca3f071fc909538a51cd0/tensorflow/core/kernels/quantized_mul_op.cc#L287-L290) assumes that the 4 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Memory Corruption

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29534 5.5 - Medium - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.SparseConcat`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b904a6c222cbce794c39703e87/tensorflow/core/kernels/sparse_concat_op.cc#L76) takes the values specified in `shapes[0]` as dimensions for the output shape. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Improper Check for Unusual or Exceptional Conditions

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29533 5.5 - Medium - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK` failure by passing an empty image to `tf.raw_ops.DrawBoundingBoxes`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/ea34a18dc3f5c8d80a40ccca1404f343b5d55f91/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L148-L165) uses `CHECK_*` assertions instead of `OP_REQUIRES` to validate user controlled inputs. Whereas `OP_REQUIRES` allows returning an error condition back to the user, the `CHECK_*` macros result in a crash if the condition is false, similar to `assert`. In this case, `height` is 0 from the `images` input. This results in `max_box_row_clamp` being negative and the assertion being falsified, followed by aborting program execution. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Improper Check for Unusual or Exceptional Conditions

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29532 7.1 - High - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. An attacker can force accesses outside the bounds of heap allocated arrays by passing in invalid tensor values to `tf.raw_ops.RaggedCross`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efea03b38fb8d3b81762237dc85e579cc5fc6e87/tensorflow/core/kernels/ragged_cross_op.cc#L456-L487) lacks validation for the user supplied arguments. Each of the above branches call a helper function after accessing array elements via a `*_list[next_*]` pattern, followed by incrementing the `next_*` index. However, as there is no validation that the `next_*` values are in the valid range for the corresponding `*_list` arrays, this results in heap OOB reads. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Out-of-bounds Read

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29514 7.8 - High - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. If the `splits` argument of `RaggedBincount` does not specify a valid `SparseTensor`(https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read from outside the bounds of the `splits` tensor buffer in the implementation of the `RaggedBincount` op(https://github.com/tensorflow/tensorflow/blob/8b677d79167799f71c42fd3fa074476e0295413a/tensorflow/core/kernels/bincount_op.cc#L430-L446). Before the `for` loop, `batch_idx` is set to 0. The attacker sets `splits(0)` to be 7, hence the `while` loop does not execute and `batch_idx` remains 0. This then results in writing to `out(-1, bin)`, which is before the heap allocated buffer for the output tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are also affected.

Memory Corruption

TensorFlow is an end-to-end open source platform for machine learning

CVE-2021-29513 7.8 - High - May 14, 2021

TensorFlow is an end-to-end open source platform for machine learning. Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences. The conversion from Python array to C++ array(https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef1e3cb73c90513da4f5cb71bebba/tensorflow/python/lib/core/ndarray_tensor.cc#L113-L169) is vulnerable to a type confusion. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

NULL Pointer Dereference

In IoT Devices SDK, there is an implementation of calloc() that doesn't have a length check

CVE-2021-22547 7.8 - High - May 04, 2021

In IoT Devices SDK, there is an implementation of calloc() that doesn't have a length check. An attacker could pass in memory objects larger than the buffer and wrap around to have a smaller buffer than required, allowing the attacker access to the other parts of the heap. We recommend upgrading the Google Cloud IoT Device SDK for Embedded C used to 1.0.3 or greater.

Classic Buffer Overflow

Type confusion in V8 in Google Chrome prior to 90.0.4430.93

CVE-2021-21230 8.8 - High - April 30, 2021

Type confusion in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Object Type Confusion

Use after free in Dev Tools in Google Chrome prior to 90.0.4430.93

CVE-2021-21232 8.8 - High - April 30, 2021

Use after free in Dev Tools in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93

CVE-2021-21227 8.8 - High - April 30, 2021

Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93

CVE-2021-21231 8.8 - High - April 30, 2021

Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Insufficient Verification of Data Authenticity

Insufficient policy enforcement in extensions in Google Chrome prior to 90.0.4430.93

CVE-2021-21228 4.3 - Medium - April 30, 2021

Insufficient policy enforcement in extensions in Google Chrome prior to 90.0.4430.93 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

AuthZ

GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection status, because Rolling Proximity Identifiers and MAC addresses are written to the Android system log, and many Android devices have applications (preinstalled by the hardware manufacturer or network operator)

CVE-2021-31815 3.3 - Low - April 28, 2021

GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection status, because Rolling Proximity Identifiers and MAC addresses are written to the Android system log, and many Android devices have applications (preinstalled by the hardware manufacturer or network operator) that read system log data and send it to third parties. NOTE: a news outlet (The Markup) states that they received a vendor response indicating that fix deployment "began several weeks ago and will be complete in the coming days."

Cleartext Transmission of Sensitive Information

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72

CVE-2021-21218 5.5 - Medium - April 26, 2021

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.

Use of Uninitialized Resource

Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72

CVE-2021-21215 6.5 - Medium - April 26, 2021

Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page.

Authentication Bypass by Spoofing

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72

CVE-2021-21219 5.5 - Medium - April 26, 2021

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.

Information Disclosure

Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128

CVE-2021-21220 8.8 - High - April 26, 2021

Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Buffer Overflow

Insufficient validation of untrusted input in Mojo in Google Chrome prior to 90.0.4430.72

CVE-2021-21221 6.5 - Medium - April 26, 2021

Insufficient validation of untrusted input in Mojo in Google Chrome prior to 90.0.4430.72 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

Improper Input Validation

Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72

CVE-2021-21216 6.5 - Medium - April 26, 2021

Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page.

Authentication Bypass by Spoofing

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72

CVE-2021-21217 5.5 - Medium - April 26, 2021

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.

Information Disclosure

Use after free in navigation in Google Chrome prior to 90.0.4430.85

CVE-2021-21226 9.6 - Critical - April 26, 2021

Use after free in navigation in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Dangling pointer

Inappropriate implementation in storage in Google Chrome prior to 90.0.4430.72

CVE-2021-21209 6.5 - Medium - April 26, 2021

Inappropriate implementation in storage in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Origin Validation Error

Inappropriate implementation in Navigation in Google Chrome on iOS prior to 90.0.4430.72

CVE-2021-21211 6.5 - Medium - April 26, 2021

Inappropriate implementation in Navigation in Google Chrome on iOS prior to 90.0.4430.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Origin Validation Error

Incorrect security UI in Network Config UI in Google Chrome on ChromeOS prior to 90.0.4430.72

CVE-2021-21212 6.5 - Medium - April 26, 2021

Incorrect security UI in Network Config UI in Google Chrome on ChromeOS prior to 90.0.4430.72 allowed a remote attacker to potentially compromise WiFi connection security via a malicious WAP.

Use after free in WebMIDI in Google Chrome prior to 90.0.4430.72

CVE-2021-21213 8.8 - High - April 26, 2021

Use after free in WebMIDI in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Use after free in Network API in Google Chrome prior to 90.0.4430.72

CVE-2021-21214 8.8 - High - April 26, 2021

Use after free in Network API in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension.

Dangling pointer

Heap buffer overflow in V8 in Google Chrome prior to 90.0.4430.85

CVE-2021-21222 6.5 - Medium - April 26, 2021

Heap buffer overflow in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

Memory Corruption

Integer overflow in Mojo in Google Chrome prior to 90.0.4430.85

CVE-2021-21223 9.6 - Critical - April 26, 2021

Integer overflow in Mojo in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Integer Overflow or Wraparound

Type confusion in V8 in Google Chrome prior to 90.0.4430.85

CVE-2021-21224 8.8 - High - April 26, 2021

Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Object Type Confusion

Out of bounds memory access in V8 in Google Chrome prior to 90.0.4430.85

CVE-2021-21225 8.8 - High - April 26, 2021

Out of bounds memory access in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Buffer Overflow

Insufficient data validation in QR scanner in Google Chrome on iOS prior to 90.0.4430.72

CVE-2021-21208 6.5 - Medium - April 26, 2021

Insufficient data validation in QR scanner in Google Chrome on iOS prior to 90.0.4430.72 allowed an attacker displaying a QR code to perform domain spoofing via a crafted QR code.

Improper Input Validation

Use after free in IndexedDB in Google Chrome prior to 90.0.4430.72

CVE-2021-21207 8.6 - High - April 26, 2021

Use after free in IndexedDB in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.

Dangling pointer

Use after free in Blink in Google Chrome prior to 89.0.4389.128

CVE-2021-21206 8.8 - High - April 26, 2021

Use after free in Blink in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Insufficient policy enforcement in navigation in Google Chrome on iOS prior to 90.0.4430.72

CVE-2021-21205 8.1 - High - April 26, 2021

Insufficient policy enforcement in navigation in Google Chrome on iOS prior to 90.0.4430.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

Use after free in Blink in Google Chrome prior to 90.0.4430.72

CVE-2021-21203 8.8 - High - April 26, 2021

Use after free in Blink in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Use after free in extensions in Google Chrome prior to 90.0.4430.72

CVE-2021-21202 8.6 - High - April 26, 2021

Use after free in extensions in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.

Dangling pointer

Use after free in permissions in Google Chrome prior to 90.0.4430.72

CVE-2021-21201 9.6 - Critical - April 26, 2021

Use after free in permissions in Google Chrome prior to 90.0.4430.72 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Dangling pointer

Inappropriate implementation in Network in Google Chrome prior to 90.0.4430.72

CVE-2021-21210 6.5 - Medium - April 26, 2021

Inappropriate implementation in Network in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially access local UDP ports via a crafted HTML page.

Exposure of Resource to Wrong Sphere

An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1

CVE-2021-25382 5.5 - Medium - April 23, 2021

An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.

AuthZ

An attacker can place a crafted JSON config file into the project folder pointing to a custom executable

CVE-2021-22539 7.8 - High - April 16, 2021

An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend upgrading to version 0.4.1 or above.

Exposure of Resource to Wrong Sphere

In pb_write of pb_encode.c, there is a possible out of bounds write due to a missing bounds check

CVE-2021-0488 6.7 - Medium - April 15, 2021

In pb_write of pb_encode.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-178754781

Memory Corruption

In several functions of InputDispatcher.cpp

CVE-2021-0438 7.8 - High - April 13, 2021

In several functions of InputDispatcher.cpp, WindowManagerService.java, and related files, there is a possible tapjacking attack due to an incorrect FLAG_OBSCURED value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-152064592

Improper Privilege Management

In setPowerModeWithHandle of com_android_server_power_PowerManagerService.cpp

CVE-2021-0439 7.8 - High - April 13, 2021

In setPowerModeWithHandle of com_android_server_power_PowerManagerService.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174243830

Memory Corruption

In updateInfo of android_hardware_input_InputApplicationHandle.cpp, there is a possible control of code flow due to a use after free

CVE-2021-0442 7.8 - High - April 13, 2021

In updateInfo of android_hardware_input_InputApplicationHandle.cpp, there is a possible control of code flow due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174768985

Dangling pointer

In several functions of ScreenshotHelper.java and related files, there is a possible incorrectly saved screenshot due to a race condition

CVE-2021-0443 4.7 - Medium - April 13, 2021

In several functions of ScreenshotHelper.java and related files, there is a possible incorrectly saved screenshot due to a race condition. This could lead to local information disclosure across user profiles with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-170474245

Race Condition

In injectBestLocation and handleUpdateLocation of GnssLocationProvider.java

CVE-2021-0400 5.5 - Medium - April 13, 2021

In injectBestLocation and handleUpdateLocation of GnssLocationProvider.java, there is a possible incorrect reporting of location data to emergency services due to improper input validation. This could lead to incorrect reporting of location data to emergency services with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-177561690

In parsePrimaryFieldFirstUidAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow

CVE-2021-0426 7.8 - High - April 13, 2021

In parsePrimaryFieldFirstUidAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174485572

Memory Corruption

In parseExclusiveStateAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow

CVE-2021-0427 7.8 - High - April 13, 2021

In parseExclusiveStateAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174488848

Memory Corruption

In getSimSerialNumber of TelephonyManager.java, there is a possible way to read a trackable identifier due to a missing permission check

CVE-2021-0428 5.5 - Medium - April 13, 2021

In getSimSerialNumber of TelephonyManager.java, there is a possible way to read a trackable identifier due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-173421434

Incorrect Default Permissions

In pollOnce of ALooper.cpp, there is possible memory corruption due to a use after free

CVE-2021-0429 7.8 - High - April 13, 2021

In pollOnce of ALooper.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-175074139

Dangling pointer

In rw_mfc_handle_read_op of rw_mfc.cc, there is a possible out of bounds write due to a missing bounds check

CVE-2021-0430 9.8 - Critical - April 13, 2021

In rw_mfc_handle_read_op of rw_mfc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution via a malicious NFC packet with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-178725766

Memory Corruption

In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check

CVE-2021-0431 7.5 - High - April 13, 2021

In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a paired device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174149901

Out-of-bounds Read

In ClearPullerCacheIfNecessary and ForceClearPullerCache of StatsPullerManager.cpp

CVE-2021-0432 7 - High - April 13, 2021

In ClearPullerCacheIfNecessary and ForceClearPullerCache of StatsPullerManager.cpp, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-173552790

Race Condition

In onCreate of DeviceChooserActivity.java

CVE-2021-0433 8 - High - April 13, 2021

In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege and pairing malicious devices with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171221090

Improper Privilege Management

In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data

CVE-2021-0435 7.5 - High - April 13, 2021

In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174150451

Improper Initialization

In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds read due to integer overflow

CVE-2021-0436 5.5 - Medium - April 13, 2021

In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds read due to integer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-176496160

Integer Overflow or Wraparound

In setPlayPolicy of DrmPlugin.cpp, there is a possible double free

CVE-2021-0437 7.8 - High - April 13, 2021

In setPlayPolicy of DrmPlugin.cpp, there is a possible double free. This could lead to local escalation of privilege in a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-176168330

Double-free

In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds read due to an integer overflow

CVE-2021-0471 5.5 - Medium - April 13, 2021

In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-176444786

Integer Overflow or Wraparound

In onActivityResult of QuickContactActivity.java, there is an unnecessary return of an intent

CVE-2021-0444 5.5 - Medium - April 13, 2021

In onActivityResult of QuickContactActivity.java, there is an unnecessary return of an intent. This could lead to local information disclosure of contact data with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-178825358

In start of WelcomeActivity.java, there is a possible residual profile due to a confused deputy

CVE-2021-0445 7.8 - High - April 13, 2021

In start of WelcomeActivity.java, there is a possible residual profile due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9Android ID: A-172322502

Improper Privilege Management

In ImportVCardActivity, there is a possible way to bypass user consent due to a tapjacking/overlay attack

CVE-2021-0446 7.3 - High - April 13, 2021

In ImportVCardActivity, there is a possible way to bypass user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-172252122

Improper Privilege Management

In LK, there is a possible escalation of privilege due to an insecure default value

CVE-2021-0468 6.6 - Medium - April 13, 2021

In LK, there is a possible escalation of privilege due to an insecure default value. This could lead to local escalation of privilege for an attacker who has physical access to the device with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-180427272

Improper Privilege Management

Use after free in screen sharing in Google Chrome prior to 89.0.4389.114

CVE-2021-21194 8.8 - High - April 09, 2021

Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Use after free in V8 in Google Chrome prior to 89.0.4389.114

CVE-2021-21195 8.8 - High - April 09, 2021

Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114

CVE-2021-21197 8.8 - High - April 09, 2021

Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

Out of bounds read in IPC in Google Chrome prior to 89.0.4389.114

CVE-2021-21198 7.4 - High - April 09, 2021

Out of bounds read in IPC in Google Chrome prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Out-of-bounds Read

Use after free in Aura in Google Chrome on Linux prior to 89.0.4389.114

CVE-2021-21199 8.8 - High - April 09, 2021

Use after free in Aura in Google Chrome on Linux prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1

CVE-2021-25358 3.3 - Low - April 09, 2021

A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications.

Incorrect Default Permissions

An improper SELinux policy prior to SMR APR-2021 Release 1

CVE-2021-25359 3.3 - Low - April 09, 2021

An improper SELinux policy prior to SMR APR-2021 Release 1 allows local attackers to access AP information without proper permissions via untrusted applications.

Incorrect Default Permissions

An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release 1

CVE-2021-25360 9.8 - Critical - April 09, 2021

An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.

Memory Corruption

A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0)

CVE-2021-25357 5.5 - Medium - April 09, 2021

A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged applications to access contact information.

Improper Privilege Management

An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1

CVE-2021-25356 8.8 - High - April 09, 2021

An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several installed application.

AuthZ

An improper permission management in CertInstaller prior to SMR APR-2021 Release 1

CVE-2021-25362 6.1 - Medium - April 09, 2021

An improper permission management in CertInstaller prior to SMR APR-2021 Release 1 allows untrusted applications to delete certain local files.

Improper Privilege Management

A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1

CVE-2021-25364 3.3 - Low - April 09, 2021

A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information.

Information Disclosure

An improper exception control in softsimd prior to SMR APR-2021 Release 1

CVE-2021-25365 7.8 - High - April 09, 2021

An improper exception control in softsimd prior to SMR APR-2021 Release 1 allows unprivileged applications to access the API in softsimd.

Improper Privilege Management

An improper access control vulnerability in stickerCenter prior to SMR APR-2021 Release 1

CVE-2021-25361 8.8 - High - April 09, 2021

An improper access control vulnerability in stickerCenter prior to SMR APR-2021 Release 1 allows local attackers to read or write arbitrary files of system process via untrusted applications.

Directory traversal

An improper access control in ActivityManagerService prior to SMR APR-2021 Release 1

CVE-2021-25363 6.1 - Medium - April 09, 2021

An improper access control in ActivityManagerService prior to SMR APR-2021 Release 1 allows untrusted applications to access running processesdelete some local files.

Improper Privilege Management

An issue was discovered on LG mobile devices with Android OS 11 software

CVE-2021-30161 5.5 - Medium - April 06, 2021

An issue was discovered on LG mobile devices with Android OS 11 software. Attackers can bypass the lockscreen protection mechanism after an incoming call has been terminated. The LG ID is LVE-SMP-210002 (April 2021).

An issue was discovered on LG mobile devices with Android OS 4.4 through 11 software

CVE-2021-30162 7.1 - High - April 06, 2021

An issue was discovered on LG mobile devices with Android OS 4.4 through 11 software. Attackers can leverage ISMS services to bypass access control on specific content providers. The LG ID is LVE-SMP-210003 (April 2021).

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1)

CVE-2021-22538 8.8 - High - March 31, 2021

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log.

Incorrect Default Permissions

An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.

CVE-2021-25369 5.5 - Medium - March 26, 2021

An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.

AuthZ

An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic.

CVE-2021-25370 4.4 - Medium - March 26, 2021

An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic.

Use after free in WebRTC in Google Chrome prior to 89.0.4389.90

CVE-2021-21191 8.8 - High - March 16, 2021

Use after free in WebRTC in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Heap buffer overflow in tab groups in Google Chrome prior to 89.0.4389.90

CVE-2021-21192 8.8 - High - March 16, 2021

Heap buffer overflow in tab groups in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

Use after free in Blink in Google Chrome prior to 89.0.4389.90

CVE-2021-21193 8.8 - High - March 16, 2021

Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

In getUpTo17bits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow

CVE-2021-0379 6.5 - Medium - March 10, 2021

In getUpTo17bits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-154075955

Out-of-bounds Read

In onReceive of DcTracker.java

CVE-2021-0380 7.8 - High - March 10, 2021

In onReceive of DcTracker.java, there is a possible way to trigger a provisioning URL and modify other telephony settings due to a missing permission check. This could lead to local escalation of privilege during the onboarding flow with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-172459128

Incorrect Default Permissions

In updateNotifications of DeviceStorageMonitorService.java, there is a possible permission bypass due to an unsafe PendingIntent

CVE-2021-0381 5.5 - Medium - March 10, 2021

In updateNotifications of DeviceStorageMonitorService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-153466381

Incorrect Default Permissions

In checkSlicePermission of SliceManagerService.java, there is a possible resource exposure due to an incorrect permission check

CVE-2021-0382 5.5 - Medium - March 10, 2021

In checkSlicePermission of SliceManagerService.java, there is a possible resource exposure due to an incorrect permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-140727941

Incorrect Default Permissions

In done of CaptivePortalLoginActivity.java, there is a confused deputy

CVE-2021-0383 7.8 - High - March 10, 2021

In done of CaptivePortalLoginActivity.java, there is a confused deputy. This could lead to local escalation of privilege in carrier settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-160871056

Improper Privilege Management