AVID-2026-R0906

Description

Null pointer exception in DeserializeSparse (CVE-2021-41215)

Details

TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for DeserializeSparse can trigger a null pointer dereference. This is because the shape inference function assumes that the serialize_sparse tensor is a tensor with positive rank (and having 3 as the last dimension). The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: CVE-2021-41215 describes a software vulnerability (null pointer dereference) in TensorFlow’s DeserializeSparse shape inference, which can lead to a crash. TensorFlow is a core ML framework widely used to build/train/serve AI systems, so this vulnerability affects software commonly used in AI pipelines. It is a software supply chain issue since it resides in a dependency/library used to run AI workloads, not a hardware/firmware issue. The report provides description, affected versions, impact, and references, supporting its security relevance.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-x3v8-c8qx-3j3r
• https://github.com/tensorflow/tensorflow/commit/d3738dd70f1c9ceb547258cbb82d853da8771850

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-11-05
• Version: 0.3.3
• AVID Entry