Home » Database

AVID-2026-R0907

Description

Heap buffer overflow in Transpose (CVE-2021-41216)

Details

TensorFlow is an open source platform for machine learning. In affected versions the shape inference function for Transpose is vulnerable to a heap buffer overflow. This occurs whenever perm contains negative elements. The shape inference function does not validate that the indices in perm are all valid. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: This CVE targets TensorFlow, a core AI/ML framework. It describes a heap buffer overflow in the Transpose shape inference function, affecting multiple TensorFlow versions and tracked with CVE/NVD/GHSA. Since TensorFlow is a widely used component in AI pipelines and the vulnerability is a software security issue within a key AI software stack, it constitutes a supply chain vulnerability in general-purpose AI systems with clear evidence.

References

Affected or Relevant Artifacts

  • Developer: tensorflow
  • Deployer: tensorflow
  • Artifact Details:
TypeName
Systemtensorflow

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score5.5
Base Severity🟠 Medium
Attack VectorLOCAL
Attack Complexity🟢 Low
Privileges Required🟢 Low
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🔴 High

CWE

IDDescription
CWE-120CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2021-11-05
  • Version: 0.3.3
  • AVID Entry