AVID-2026-R0863

Description

CHECK-fail in MapStage in TensorFlow (CVE-2021-37673)

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a denial of service via a CHECK-fail in tf.raw_ops.MapStage. The implementation does not check that the key input is a valid non-empty tensor. We have patched the issue in GitHub commit d7de67733925de196ec8863a33445b73f9562d1d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-37673 is a software vulnerability in the TensorFlow ML framework (MapStage CHECK-fail causing DoS). TensorFlow is a core AI software stack used to build/train/deploy general-purpose AI systems; this is a vulnerability in a dependency used in AI pipelines. The report includes CVE, affected versions, and a fix commit; thus sufficient evidence.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-278g-rq84-9hmg
• https://github.com/tensorflow/tensorflow/commit/d7de67733925de196ec8863a33445b73f9562d1d

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-08-12
• Version: 0.3.3
• AVID Entry