We use cookies to improve your experience on our site.
AVID-2026-R0739
Description
CHECK-fail in tf.raw_ops.EncodePng (CVE-2021-29531)
Details
TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a CHECK fail in PNG encoding by providing an empty input tensor as the pixel data. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/kernels/image/encode_png_op.cc#L57-L60) only validates that the total number of pixels in the image does not overflow. Thus, an attacker can send an empty matrix for encoding. However, if the tensor is empty, then the associated buffer is nullptr. Hence, when calling png::WriteImageToBuffer(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/kernels/image/encode_png_op.cc#L79-L93), the first argument (i.e., image.flat<T>().data()) is NULL. This then triggers the CHECK_NOTNULL in the first line of png::WriteImageToBuffer(https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/lib/png/png_io.cc#L345-L349). Since image is null, this results in abort being called after printing the stacktrace. Effectively, this allows an attacker to mount a denial of service attack. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Reason for inclusion in AVID: CVE-2021-29531 describes a vulnerability in TensorFlow’s PNG encoding path that can cause a denial-of-service by aborting when given an empty input tensor. TensorFlow is a core AI framework used to build, train, and deploy AI systems, so this is a vulnerability in a component that is part of the software supply chain for general-purpose AI systems. The issue is a security vulnerability (DoS) with clear evidence (CVE entry, advisory, and commit references) and affects multiple TensorFlow versions, with a fix planned/issued. Therefore it meets all criteria for AVID curation.
References
- NVD entry
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3qxp-qjq7-w4hf
- https://github.com/tensorflow/tensorflow/commit/26eb323554ffccd173e8a79a8c05c15b685ae4d1
Affected or Relevant Artifacts
- Developer: tensorflow
- Deployer: tensorflow
- Artifact Details:
| Type | Name |
|---|---|
| System | tensorflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L |
| Base Score | 2.5 |
| Base Severity | 🟢 Low |
| Attack Vector | LOCAL |
| Attack Complexity | 🔴 High |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-754 | CWE-754: Improper Check for Unusual or Exceptional Conditions |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2021-05-14
- Version: 0.3.3
- AVID Entry