AVID-2026-R0809

Description

Crash in tf.transpose with complex inputs (CVE-2021-29618)

Details

TensorFlow is an end-to-end open source platform for machine learning. Passing a complex argument to tf.transpose at the same time as passing conjugate=True argument results in a crash. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-29618 describes a crash in TensorFlow’s tf.transpose with complex inputs and conjugate=True; it is a vulnerability in a core ML framework used in AI pipelines. It affects commonly used AI software stacks and requires patching across multiple TensorFlow versions, representing a software supply-chain vulnerability in the AI stack. The report provides clear description, affected versions, and references sufficient for AVID curation.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xqfj-cr6q-pc8w
• https://github.com/tensorflow/tensorflow/commit/1dc6a7ce6e0b3e27a7ae650bfc05b195ca793f88
• https://github.com/tensorflow/issues/42105
• https://github.com/tensorflow/issues/46973

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-05-14
• Version: 0.3.3
• AVID Entry