Home » Database

AVID-2026-R0758

Description

OOB read in MatrixTriangularSolve (CVE-2021-29551)

Details

TensorFlow is an end-to-end open source platform for machine learning. The implementation of MatrixTriangularSolve(https://github.com/tensorflow/tensorflow/blob/8cae746d8449c7dda5298327353d68613f16e798/tensorflow/core/kernels/linalg/matrix_triangular_solve_op_impl.h#L160-L240) fails to terminate kernel execution if one validation condition fails. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: The CVE describes an out-of-bounds read in TensorFlow’s MatrixTriangularSolve, a vulnerability within a widely-used AI framework. It affects a software component (TensorFlow) that is core to building, training, deploying, and running general-purpose AI systems, representing a software supply-chain vulnerability in AI stacks. Public references (NVD entry, GitHub advisory, commit) provide evidence and a fix, satisfying security-safety criteria.

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score2.5
Base Severity🟢 Low
Attack VectorLOCAL
Attack Complexity🔴 High
Privileges Required🟢 Low
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🟢 Low

CWE

IDDescription
CWE-125CWE-125: Out-of-bounds Read

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2021-05-14
  • Version: 0.3.3
  • AVID Entry