CVE-2021-41214
HIGHTensorFlow < 2.4.4, 2.6.0-2.6.1 - Access of Uninitialized Pointer in Ragged Cross Shape Inference
Title source: llmDescription
TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `tf.ragged.cross` has an undefined behavior due to binding a reference to `nullptr`. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/commit/fa6b7782fbb14aa08d767bc799c531f5e1fb3bb8
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vwhq-49r4-gj9v
Scores
CVSS v3
7.8
EPSS
0.0021
EPSS Percentile
11.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-824
Status
published
Products (5)
google/tensorflow
2.6.0
google/tensorflow
< 2.4.4
pypi/tensorflow
2.6.0 - 2.6.1PyPI
pypi/tensorflow-cpu
2.6.0 - 2.6.1PyPI
pypi/tensorflow-gpu
2.6.0 - 2.6.1PyPI
Published
Nov 05, 2021
Tracked Since
Feb 18, 2026