{"id":"CVE-2020-26269","details":"In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched.","aliases":["BIT-tensorflow-2020-26269","GHSA-9jjw-hf72-3mxw","PYSEC-2020-141","PYSEC-2020-300","PYSEC-2020-335"],"modified":"2026-04-11T11:23:27.935818Z","published":"2020-12-10T23:15:12.910Z","related":["GHSA-9jjw-hf72-3mxw"],"references":[{"type":"FIX","url":"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9jjw-hf72-3mxw"},{"type":"FIX","url":"https://github.com/tensorflow/tensorflow/commit/8b5b9dc96666a3a5d27fad7179ff215e3b74b67c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tensorflow/tensorflow","events":[{"introduced":"0"},{"last_affected":"5e5730ba9d15a3b328d2b20a01bf8a9762f3711c"},{"introduced":"0"},{"last_affected":"ef82f4c66cae4a719a3815c307061a941a88b206"},{"introduced":"0"},{"last_affected":"0b06f2927be226ffe44f47bfa9e03e4ea649d7f3"},{"introduced":"0"},{"last_affected":"68f236364cdd261754c68782d99ec2fc791922e6"},{"introduced":"0"},{"last_affected":"97c3fef64ba9937a52af2d72fb4104b6e541d4b2"},{"fixed":"8b5b9dc96666a3a5d27fad7179ff215e3b74b67c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.4.0-rc0"},{"introduced":"0"},{"last_affected":"2.4.0-rc1"},{"introduced":"0"},{"last_affected":"2.4.0-rc2"},{"introduced":"0"},{"last_affected":"2.4.0-rc3"},{"introduced":"0"},{"last_affected":"2.4.0-rc4"}]}}],"versions":["0.5.0","0.6.0","v1.1.0-rc1","v1.1.0-rc2","v1.12.1","v1.6.0-rc1","v1.9.0-rc2","v2.4.0-rc0","v2.4.0-rc1","v2.4.0-rc2","v2.4.0-rc3","v2.4.0-rc4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26269.json","vanir_signatures_modified":"2026-04-11T11:23:27Z","vanir_signatures":[{"source":"https://github.com/tensorflow/tensorflow/commit/8b5b9dc96666a3a5d27fad7179ff215e3b74b67c","signature_type":"Function","target":{"function":"GetMatchingPaths","file":"tensorflow/core/platform/file_system_helper.cc"},"signature_version":"v1","digest":{"function_hash":"178212551149989500511784799222224221041","length":2740},"id":"CVE-2020-26269-0241cd83","deprecated":false},{"source":"https://github.com/tensorflow/tensorflow/commit/8b5b9dc96666a3a5d27fad7179ff215e3b74b67c","signature_type":"Line","target":{"file":"tensorflow/core/platform/file_system_helper.cc"},"signature_version":"v1","digest":{"line_hashes":["194231714249816697885080011234107511497","193097968382043893022943305218558374145","228779981112729544908222142973304621544","152944730905069247894947623696099842364","329074111966353909403854229305412912572","284067545227155056936921196153040711738","5754915236322125769140764676100640897","268290799187579137624600997123146390246","182509781767220459677447650600987153980","228513733321830300933449105953010029037","41856533125880162508384134791719366544","325970861892933200753941678803628776936","154688739040253187258219104060259976062","286547907640470508814168107327861605968","276159965684980626540698015373160839781","257251635952869662249562893654878534748","28168157202814317748377554826387893143","39604596258984297797031777539132089418","40439364741814598130001393548781133540","57610718769559436263710270281812225278","85873494864347364465876186895370490772","148632165479508580819154707346946130612","196562345983065966647485718405753178265","188844005581682528002374087034840959038","146248215136762705925684448854066768987","325745638682183163959810586808784267952","69164386574051579650611908334099737061","129798499329911498876420016895308411021","290929996226824516487302365113818474446","294158246004720608229908942739014304846","304026138407827595174194044100146962316","243667232041657836657376433071113104328","326890887099567034256891477035727080579","185980216752858162569610674376607692057","311164169332649908231813213360943342965","275075006000645463497955352616987948192","168763463288113258992082885307346956390","7900681979115347775921711502332185729","63359712434835489821379984685065942567","137253286543926931045424238024283176018","219271619700036854016964131068135481188","6128526322975169314698056431016300098","68461873425767980550429206615381053825","62183160574744697608792996875473580940","213996977934428433905229231999513144173","59903913160964288208707750928248456329","32407121461880796709695555459774382814","150509344480213732872288623819471549990","33204944740324743971637278088425314807","155390394548725161100737870116519798384","32603008613639369628181554237608813341","49020635848021350550924493287608863041","175319454960972894545445564349750205914","15525704631431088781186226734305943455","237200358191674597907315368302849037186","60683250990876908444573965385433929465","112803336249640018830686484971648064731","281615464806982081203769385919117009152","19341058508828917165696936589474900735","312019210726808858657437633346571454416","65281077451029182409047472763846333242","296523203608205722259612191477846081932","199529468943027782149289779808125195349","247162399072708324614195274709606972532","291493653172669672087962578220540084478","268548072868408094967923829195459246683","178563767103023918854961264927821360268","276172173870268014149905805450972808013","188421517512352637034849763691025065992","17820933418525890142824901122371496602","78372885589428052750692988693066357767","217807795498746032902870021135943631588","335559443407015853956937137594082749908","101554434851692944882091052066171619546","277915516893642751939783360675787376365","227396291008269933509910778039969792692","114778299309522957412597313220321930690","231323082512071637021458200665470539852","313139850389376390191602860645970690876","36304411608407559800747956589229976040","63630511072129847462158791782763131024","206171383981259463259517339308583989610","138553315416725287941323254534584091708","60185456518289123789425796748469460767","316785362302644751823382599540285123717","264895371141983156081040518786451545631","276754202877699365945414578968987727379","317299657746041441650624568340216412263","244795225693545729192644606839105440635","339115909429474369112466363024745587226","233550781958575500936564981912414791752","208606059140277772064170020926798808594","314903588979023715232921875717779052676","167631270971267427152247407432859551442","166557638574282850410885883040673416759","15245978077281893038792388904386048629"],"threshold":0.9},"id":"CVE-2020-26269-b37191ab","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}