AVID-2026-R0892

Description

Overflow/crash in tf.image.resize when size is large (CVE-2021-41199)

Details

TensorFlow is an open source platform for machine learning. In affected versions if tf.image.resize is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. The number of elements in the output tensor is too much for the int64_t type and the overflow is detected via a CHECK statement. This aborts the process. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-41199 describes a vulnerability in TensorFlow (an AI framework) where tf.image.resize may crash due to an integer overflow when sizes are large. This directly concerns AI software used in ML pipelines (models, data processing, frameworks) and is a vulnerability in a dependency used to build/train/deploy AI systems. Public CVE and advisories provide clear security impact and fixes, satisfying the evidence requirements.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5hx2-qx8j-qjqm
• https://github.com/tensorflow/tensorflow/issues/46914
• https://github.com/tensorflow/tensorflow/commit/e5272d4204ff5b46136a1ef1204fc00597e21837

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-11-05
• Version: 0.3.3
• AVID Entry