AVID-2026-R0850

Description

Division by 0 in inplace operations in TensorFlow (CVE-2021-37660)

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a floating point exception by calling inplace operations with crafted arguments that would result in a division by 0. The implementation has a logic error: it should skip processing if x and v are empty but the code uses || instead of &&. We have patched the issue in GitHub commit e86605c0a336c088b638da02135ea6f9f6753618. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-37660 describes a software vulnerability in TensorFlow’s inplace operations that can trigger a division-by-zero (floating point exception), with a patch available. TensorFlow is a core AI/ML framework used in AI pipelines; the issue affects software components used to build/train/deploy general-purpose AI systems, i.e., the software supply chain. It is a security vulnerability (availability impact) with public CVE details and evidence of fix, so this fits AVID criteria.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cm5x-837x-jf3c
• https://github.com/tensorflow/tensorflow/commit/e86605c0a336c088b638da02135ea6f9f6753618

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-08-12
• Version: 0.3.3
• AVID Entry