AVID-2026-R0908

Description

Null pointer exception when Exit node is not preceded by Enter op (CVE-2021-41217)

Details

TensorFlow is an open source platform for machine learning. In affected versions the process of building the control flow graph for a TensorFlow model is vulnerable to a null pointer exception when nodes that should be paired are not. This occurs because the code assumes that the first node in the pairing (e.g., an Enter node) always exists when encountering the second node (e.g., an Exit node). When this is not the case, parent is nullptr so dereferencing it causes a crash. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Reason for inclusion in AVID: The CVE describes a null pointer dereference in TensorFlow’s graph-building path, a core AI framework used in building and deploying AI models. This is a software vulnerability within a dependency/framework central to general-purpose AI systems, not hardware/firmware. The issue affects availability and is documented with CVE/NVD references and a concrete fix plan, providing sufficient evidence for curation as a software supply-chain vulnerability in AI stacks.

References

• NVD entry
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-5crj-c72x-m7gq
• https://github.com/tensorflow/tensorflow/commit/05cbebd3c6bb8f517a158b0155debb8df79017ff

Affected or Relevant Artifacts

• Developer: tensorflow
• Deployer: tensorflow
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-11-05
• Version: 0.3.3
• AVID Entry