AVID-2026-R0875

Description

Heap OOB in TensorFlow Lite’s Gather* implementations (CVE-2021-37687)

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TFLite’s GatherNd implementation does not support negative indices but there are no checks for this situation. Hence, an attacker can read arbitrary data from the heap by carefully crafting a model with negative values in indices. Similar issue exists in Gather implementation. We have patched the issue in GitHub commits bb6a0383ed553c286f87ca88c207f6774d5c4a8f and eb921122119a6b6e470ee98b89e65d721663179d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-37687 describes a heap out-of-bounds read in TensorFlow Lite’s GatherNd and Gather implementations, enabling potential data disclosure via crafted models. It affects TensorFlow/TFLite software used in ML pipelines, i.e., AI frameworks and deployment stacks, thus AI-related and part of the software supply chain for general-purpose AI systems. It is a security vulnerability with CVSS details and patches referenced, and the report provides evidence (commits, advisories, CVE entry).

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jwf9-w5xm-f437
• https://github.com/tensorflow/tensorflow/commit/bb6a0383ed553c286f87ca88c207f6774d5c4a8f
• https://github.com/tensorflow/tensorflow/commit/eb921122119a6b6e470ee98b89e65d721663179d

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-08-12
• Version: 0.3.3
• AVID Entry