AVID-2026-R0895

Description

Overflow/crash in tf.range (CVE-2021-41202)

Details

TensorFlow is an open source platform for machine learning. In affected versions while calculating the size of the output within the tf.range kernel, there is a conditional statement of type int64 = condition ? int64 : double. Due to C++ implicit conversion rules, both branches of the condition will be cast to double and the result would be truncated before the assignment. This result in overflows. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-41202 describes a software vulnerability (overflow/crash) in TensorFlow’s tf.range, a core ML framework component. It affects TensorFlow versions used to build/train/deploy AI systems and has a defined CVE with references and fixes. This is clearly a software supply-chain issue (a dependency/library used in AI pipelines) and constitutes a security vulnerability (local exploit with potential availability impact). The report provides sufficient evidence (CVE entry, affected versions, fixes, related commits).

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xrqm-fpgr-6hhx
• https://github.com/tensorflow/tensorflow/issues/46889
• https://github.com/tensorflow/tensorflow/issues/46912
• https://github.com/tensorflow/tensorflow/commit/1b0e0ec27e7895b9985076eab32445026ae5ca94
• https://github.com/tensorflow/tensorflow/commit/6d94002a09711d297dbba90390d5482b76113899

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-11-05
• Version: 0.3.3
• AVID Entry