AVID-2026-R0827

Description

Null pointer dereference in CompressElement in TensorFlow (CVE-2021-37637)

Details

TensorFlow is an end-to-end open source platform for machine learning. It is possible to trigger a null pointer dereference in TensorFlow by passing an invalid input to tf.raw_ops.CompressElement. The implementation was accessing the size of a buffer obtained from the return of a separate function call before validating that said buffer is valid. We have patched the issue in GitHub commit 5dc7f6981fdaf74c8c5be41f393df705841fb7c5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-37637 describes a null pointer dereference in TensorFlow’s CompressElement, a vulnerability in a core AI framework. TensorFlow is widely used to build/train/deploy AI systems, so this is a software vulnerability in a component commonly used in AI pipelines. A patch exists and is targeted to multiple TensorFlow release lines, indicating an actionable fix in the AI software stack. This fits the scope of a software supply-chain vulnerability in general-purpose AI systems.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c9qf-r67m-p7cg
• https://github.com/tensorflow/tensorflow/commit/5dc7f6981fdaf74c8c5be41f393df705841fb7c5

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-08-12
• Version: 0.3.3
• AVID Entry