We use cookies to improve your experience on our site.
AVID-2026-R0868
Description
Heap OOB in nested tf.map_fn with RaggedTensors in TensorFlow (CVE-2021-37679)
Details
TensorFlow is an end-to-end open source platform for machine learning. In affected versions it is possible to nest a tf.map_fn within another tf.map_fn call. However, if the input tensor is a RaggedTensor and there is no function signature provided, code assumes the output is a fully specified tensor and fills output buffer with uninitialized contents from the heap. The t and z outputs should be identical, however this is not the case. The last row of t contains data from the heap which can be used to leak other memory information. The bug lies in the conversion from a Variant tensor to a RaggedTensor. The implementation does not check that all inner shapes match and this results in the additional dimensions. The same implementation can result in data loss, if input tensor is tweaked. We have patched the issue in GitHub commit 4e2565483d0ffcadc719bd44893fb7f609bb5f12. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Reason for inclusion in AVID: CVE-2021-37679 describes a heap-out-of-bounds vulnerability in TensorFlow core involving nested tf.map_fn with RaggedTensor inputs, leading to potential memory disclosure. This is a software vulnerability in a widely-used AI framework, directly impacting AI model development, training, and deployment pipelines. It affects software components (TensorFlow) commonly used to build general-purpose AI systems, not hardware/firmware. The report provides CVE details, affected versions, impact, and a patch, establishing clear security risk and remediation evidence.
References
- NVD entry
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g8wg-cjwc-xhhp
- https://github.com/tensorflow/tensorflow/commit/4e2565483d0ffcadc719bd44893fb7f609bb5f12
Affected or Relevant Artifacts
- Developer: tensorflow
- Deployer: tensorflow
- Artifact Details:
| Type | Name |
|---|---|
| System | tensorflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| Base Score | 7.1 |
| Base Severity | 🔴 High |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-125 | CWE-125: Out-of-bounds Read |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2021-08-12
- Version: 0.3.3
- AVID Entry