AVID-2026-R0843

Description

Division by 0 in ResourceGather in TensorFlow (CVE-2021-37653)

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a crash via a floating point exception in tf.raw_ops.ResourceGather. The implementation computes the value of a value, batch_size, and then divides by it without checking that this value is not 0. We have patched the issue in GitHub commit ac117ee8a8ea57b73d34665cdf00ef3303bc0b11. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-37653 describes a divide-by-zero crash in TensorFlow’s ResourceGather affecting TensorFlow versions. This is a vulnerability within a core AI software framework used to build and run general-purpose AI systems. As the issue lies in a widely used AI dependency, it qualifies as a software supply chain issue pertaining to AI stacks (dependencies/frameworks). The report provides explicit evidence (CVSS metrics, affected versions, and a fix commit) supporting its security impact. Hardware/firmware-only aspects do not apply here.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qjj8-32p7-h289
• https://github.com/tensorflow/tensorflow/commit/ac117ee8a8ea57b73d34665cdf00ef3303bc0b11

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-08-12
• Version: 0.3.3
• AVID Entry