Home » Database

AVID-2026-R0793

Description

Division by zero in TFLite’s convolution code (CVE-2021-29594)

Details

TensorFlow is an end-to-end open source platform for machine learning. TFLite’s convolution code(https://github.com/tensorflow/tensorflow/blob/09c73bca7d648e961dd05898292d91a8322a9d45/tensorflow/lite/kernels/conv.cc) has multiple division where the divisor is controlled by the user and not checked to be non-zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-29594 is a division-by-zero bug in TensorFlow Lite’s convolution code. TensorFlow/TFLite are AI software frameworks used in ML pipelines and deployments; this is a software vulnerability in a component used to run AI workloads, making it relevant to general-purpose AI system supply chains. It describes a security impact (crash/denial scenarios) and provides references and fixes, giving sufficient evidence.

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score2.5
Base Severity🟢 Low
Attack VectorLOCAL
Attack Complexity🔴 High
Privileges Required🟢 Low
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🟢 Low

CWE

IDDescription
CWE-369CWE-369: Divide By Zero

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2021-05-14
  • Version: 0.3.3
  • AVID Entry