Home » Database

AVID-2026-R0769

Description

Null pointer dereference in EditDistance (CVE-2021-29564)

Details

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a null pointer dereference in the implementation of tf.raw_ops.EditDistance. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/79865b542f9ffdc9caeb255631f7c56f1d4b6517/tensorflow/core/kernels/edit_distance_op.cc#L103-L159) has incomplete validation of the input parameters. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-29564 describes a null pointer dereference in TensorFlow’s tf.raw_ops.EditDistance, a vulnerability in a core ML framework. This affects the AI software stack and is a software supply-chain/dep issue for general-purpose AI systems, with CVE details and references provided.

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score2.5
Base Severity🟢 Low
Attack VectorLOCAL
Attack Complexity🔴 High
Privileges Required🟢 Low
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🟢 Low

CWE

IDDescription
CWE-476CWE-476: NULL Pointer Dereference

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2021-05-14
  • Version: 0.3.3
  • AVID Entry