AVID-2026-R0808

Description

Crash in tf.strings.substr due to CHECK-fail (CVE-2021-29617)

Details

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via CHECK-fail in tf.strings.substr with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: This CVE concerns TensorFlow, a core ML framework used in AI/ML pipelines. It is a software vulnerability in a component commonly used to build/train/deploy AI systems, with a DoS impact and provided remediation. The report includes CVE details, affected versions, and references, satisfying evidentiary sufficiency for AVID curation.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mmq6-q8r3-48fm
• https://github.com/tensorflow/tensorflow/commit/890f7164b70354c57d40eda52dcdd7658677c09f
• https://github.com/tensorflow/issues/46900
• https://github.com/tensorflow/issues/46974

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-05-14
• Version: 0.3.3
• AVID Entry