AVID-2026-R0726

Description

Heap out of bounds write in RaggedBinCount (CVE-2021-29514)

Details

TensorFlow is an end-to-end open source platform for machine learning. If the splits argument of RaggedBincount does not specify a valid SparseTensor(https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read from outside the bounds of the splits tensor buffer in the implementation of the RaggedBincount op(https://github.com/tensorflow/tensorflow/blob/8b677d79167799f71c42fd3fa074476e0295413a/tensorflow/core/kernels/bincount_op.cc#L430-L446). Before the for loop, batch_idx is set to 0. The attacker sets splits(0) to be 7, hence the while loop does not execute and batch_idx remains 0. This then results in writing to out(-1, bin), which is before the heap allocated buffer for the output tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are also affected.

Reason for inclusion in AVID: CVE-2021-29514 describes a heap out-of-bounds write in TensorFlow’s RaggedBincount op, enabling memory corruption via crafted input; TensorFlow is a core AI framework; the issue affects software used to build/train/deploy AI systems; it is a vulnerability (CWE-787) with CVSS details provided. Therefore it meets AI-related, GP AI supply chain, security vulnerability, and has sufficient evidence.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/commit/eebb96c2830d48597d055d247c0e9aebaea94cd5
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8h46-5m9h-7553

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-05-14
• Version: 0.3.3
• AVID Entry