AVID-2026-R0725

Description

Type confusion during tensor casts lead to dereferencing null pointers (CVE-2021-29513)

Details

TensorFlow is an end-to-end open source platform for machine learning. Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences. The conversion from Python array to C++ array(https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef1e3cb73c90513da4f5cb71bebba/tensorflow/python/lib/core/ndarray_tensor.cc#L113-L169) is vulnerable to a type confusion. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-29513 describes a software vulnerability in TensorFlow (an AI framework) involving type confusion during tensor casts that can lead to a null pointer dereference. TensorFlow is a core dependency used to build, train, and deploy AI systems, so this is a software supply-chain-related issue within AI software stacks. The report explicitly references the affected versions and fixes, indicating a real vulnerability, albeit with local access requirements and low severity. The evidence supports classification as an AI-related vulnerability in the GP AI supply chain.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-452g-f7fp-9jf7
• https://github.com/tensorflow/tensorflow/commit/030af767d357d1b4088c4a25c72cb3906abac489

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-05-14
• Version: 0.3.3
• AVID Entry