We use cookies to improve your experience on our site.
AVID-2026-R0893
Description
Incomplete validation in tf.summary.create_file_writer (CVE-2021-41200)
Details
TensorFlow is an open source platform for machine learning. In affected versions if tf.summary.create_file_writer is called with non-scalar arguments code crashes due to a CHECK-fail. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
Reason for inclusion in AVID: CVE-2021-41200 describes an incomplete input validation in TensorFlow’s tf.summary.create_file_writer, leading to a crash with non-scalar inputs. TensorFlow is a core ML framework widely used in AI software stacks, making this a software supply-chain vulnerability in AI systems.
References
- NVD entry
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gh8h-7j2j-qv4f
- https://github.com/tensorflow/tensorflow/issues/46909
- https://github.com/tensorflow/tensorflow/commit/874bda09e6702cd50bac90b453b50bcc65b2769e
Affected or Relevant Artifacts
- Developer: tensorflow
- Deployer: tensorflow
- Artifact Details:
| Type | Name |
|---|---|
| System | tensorflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Base Score | 5.5 |
| Base Severity | 🟠 Medium |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-617 | CWE-617: Reachable Assertion |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2021-11-05
- Version: 0.3.3
- AVID Entry