AVID-2026-R0876

Description

Null pointer dereference in TensorFlow Lite (CVE-2021-37688)

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. The implementation unconditionally dereferences a pointer. We have patched the issue in GitHub commit 15691e456c7dc9bd6be203b09765b063bf4a380c. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-37688 describes a null pointer dereference in TensorFlow Lite leading to a crash and denial of service. TensorFlow Lite is an ML framework/library used in AI systems, thus AI-related. It is a software component used in building/deploying AI systems (general-purpose AI supply chain). It represents a security vulnerability (CVE with CVSS metrics). The report provides explicit vulnerability behavior, patch information, affected versions, and references, giving sufficient evidence.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vcjj-9vg7-vf68
• https://github.com/tensorflow/tensorflow/commit/15691e456c7dc9bd6be203b09765b063bf4a380c

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-08-12
• Version: 0.3.3
• AVID Entry