Home » Database

AVID-2026-R0897

Description

Segfault while copying constant resource tensor (CVE-2021-41204)

Details

TensorFlow is an open source platform for machine learning. In affected versions during TensorFlow’s Grappler optimizer phase, constant folding might attempt to deep copy a resource tensor. This results in a segfault, as these tensors are supposed to not change. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-41204 describes a software vulnerability in TensorFlow (an AI/ML framework). It impacts the Grappler optimizer during constant folding, leading to a segfault. This directly affects software used to build/train/deploy general-purpose AI systems and is addressed via software fixes/backports. The issue is in a component (TensorFlow) used in AI pipelines, not hardware/firmware-only, and constitutes a security vulnerability (potential DoS via crash). Sufficient details and references are provided (affected versions, remediation).

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score5.5
Base Severity🟠 Medium
Attack VectorLOCAL
Attack Complexity🟢 Low
Privileges Required🟢 Low
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🔴 High

CWE

IDDescription
CWE-824CWE-824: Access of Uninitialized Pointer

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2021-11-05
  • Version: 0.3.3
  • AVID Entry