We use cookies to improve your experience on our site.
AVID-2026-R0818
Description
Vulnerability CVE-2021-33648
Details
When performing the inference shape operation of Affine, Concat, MatMul, ArgMinMax, EmbeddingLookup, and Gather operators, if the input shape size is 0, it will access data outside of bounds of shape which allocated from heap buffers.
Reason for inclusion in AVID: CVE-2021-33648 describes an out-of-bounds read in MindSpore operators (Affine, Concat, MatMul, ArgMinMax, EmbeddingLookup, Gather) when the input shape size is 0. MindSpore is an AI framework used in ML pipelines, so this is a software vulnerability affecting components used to build/train/deploy AI systems. This constitutes a software supply-chain issue in AI stacks. The report provides explicit CVE references (NVD) and a MindSpore advisory as sources.
References
- NVD entry
- https://gitee.com/mindspore/community/blob/master/security/security_advisory_list/mssa-2021-007_en.md
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | openEuler:mindspore |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-125 | CWE-125 Out-of-bounds Read |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-06-27
- Version: 0.3.3
- AVID Entry