AVID-2026-R0905

Description

Reference binding to nullptr in tf.ragged.cross (CVE-2021-41214)

Details

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for tf.ragged.cross has an undefined behavior due to binding a reference to nullptr. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: The CVE describes a vulnerability in TensorFlow’s code (tf.ragged.cross) that causes undefined behavior by binding a reference to nullptr. TensorFlow is a foundational ML framework; the issue affects AI software stacks and could impact models, pipelines, and deployments. It has a CVE entry, a fix, and clear references, indicating a security vulnerability with potential high impact. This aligns with software supply chain concerns for general-purpose AI systems (dependencies and runtimes in ML pipelines).

References

• NVD entry
• https://github.com/tensorflow/tensorflow/commit/fa6b7782fbb14aa08d767bc799c531f5e1fb3bb8
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vwhq-49r4-gj9v

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-11-05
• Version: 0.3.3
• AVID Entry