AVID-2026-R0743

Description

Heap buffer overflow in QuantizedMul (CVE-2021-29535)

Details

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in QuantizedMul by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/87cf4d3ea9949051e50ca3f071fc909538a51cd0/tensorflow/core/kernels/quantized_mul_op.cc#L287-L290) assumes that the 4 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then .flat<T>() is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-29535 describes a heap buffer overflow in TensorFlow’s QuantizedMul. TensorFlow is a core ML framework and widely used in building, training, deploying, and serving AI systems; the vulnerability resides in software used within AI stacks, not hardware. The CVE provides affected versions, impact, and references, and a fix is available, indicating sufficient evidence. This aligns with AI-related software supply chain vulnerabilities in dependencies/frameworks relevant to general-purpose AI systems.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m3f9-w3p3-p669
• https://github.com/tensorflow/tensorflow/commit/efea03b38fb8d3b81762237dc85e579cc5fc6e87

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-05-14
• Version: 0.3.3
• AVID Entry