Home » Database

AVID-2026-R0902

Description

Heap OOB read in tf.raw_ops.SparseCountSparseOutput (CVE-2021-41210)

Details

TensorFlow is an open source platform for machine learning. In affected versions the shape inference functions for SparseCountSparseOutput can trigger a read outside of bounds of heap allocated array. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-41210 describes a heap out-of-bounds read in TensorFlow’s SparseCountSparseOutput shape inference. TensorFlow is a core AI/ML framework, and this vulnerability affects software components widely used to build/train/deploy AI systems. It is a security vulnerability with potential impact (local access/DoS via memory error) and has an official fix/version guidance. This clearly concerns AI software supply chains (dependencies/frameworks) and meets the AVID criteria for inclusion.

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Base Score7.1
Base Severity🔴 High
Attack VectorLOCAL
Attack Complexity🟢 Low
Privileges Required🟢 Low
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity ImpactNONE
Availability Impact🔴 High

CWE

IDDescription
CWE-125CWE-125: Out-of-bounds Read

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2021-11-05
  • Version: 0.3.3
  • AVID Entry