AVID-2026-R0874

Description

Infinite loop in TensorFlow Lite (CVE-2021-37686)

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the strided slice implementation in TFLite has a logic bug which can allow an attacker to trigger an infinite loop. This arises from newly introduced support for ellipsis in axis definition. An attacker can craft a model such that ellipsis_end_idx is smaller than i (e.g., always negative). In this case, the inner loop does not increase i and the continue statement causes execution to skip over the preincrement at the end of the outer loop. We have patched the issue in GitHub commit dfa22b348b70bb89d6d6ec0ff53973bacb4f4695. TensorFlow 2.6.0 is the only affected version.

Reason for inclusion in AVID: CVE-2021-37686 documents an infinite loop vulnerability in TensorFlow Lite’s strided_slice, which can be triggered by crafting a model to cause a denial-of-service via an endless loop. TensorFlow Lite is a core AI software component used to run ML models, making this a software issue within the AI stack and relevant to AI pipelines and deployments. The report includes evidence of the vulnerability, affected version, and a patch (commit), supporting its categorization as a security/safety vulnerability in a software supply chain component used for AI systems. Therefore, it should be kept for AVID curation.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-mhhc-q96p-mfm9
• https://github.com/tensorflow/tensorflow/commit/dfa22b348b70bb89d6d6ec0ff53973bacb4f4695

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-08-12
• Version: 0.3.3
• AVID Entry