We use cookies to improve your experience on our site.
AVID-2026-R0872
Description
Division by zero in TensorFlow Lite pooling operations (CVE-2021-37684)
Details
TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementations of pooling in TFLite are vulnerable to division by 0 errors as there are no checks for divisors not being 0. We have patched the issue in GitHub commit dfa22b348b70bb89d6d6ec0ff53973bacb4f4695. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Reason for inclusion in AVID: The CVE describes a division-by-zero vulnerability in TensorFlow Lite pooling implementations, a vulnerability in an AI software framework used in ML pipelines. It affects TensorFlow/TFLite (AI framework), is in the software stack used to build/run general-purpose AI systems, and is a security vulnerability with potential availability impact. The report provides evidence (commit fix, affected versions, CVSS, references).
References
Affected or Relevant Artifacts
- Developer: tensorflow
- Deployer: tensorflow
- Artifact Details:
| Type | Name |
|---|---|
| System | tensorflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Base Score | 5.5 |
| Base Severity | 🟠 Medium |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-369 | CWE-369: Divide By Zero |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2021-08-12
- Version: 0.3.3
- AVID Entry