CVE-2021-41220
HIGHTensorFlow 2.6.0 - Use-After-Free in CollectiveReduceV2 Async Implementation
Title source: llmDescription
TensorFlow is an open source platform for machine learning. In affected versions the async implementation of `CollectiveReduceV2` suffers from a memory leak and a use after free. This occurs due to the asynchronous computation and the fact that objects that have been `std::move()`d from are still accessed. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, as this version is the only one that is also affected.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gpfh-jvf9-7wg5
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/commit/ca38dab9d3ee66c5de06f11af9a4b1200da5ef75
Scores
CVSS v3
7.8
EPSS
0.0020
EPSS Percentile
10.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-416
Status
published
Products (5)
google/tensorflow
2.7.0 rc0 (2 CPE variants)
google/tensorflow
2.6.0 - 2.6.1
pypi/tensorflow
2.6.0 - 2.6.1PyPI
pypi/tensorflow-cpu
2.6.0 - 2.6.1PyPI
pypi/tensorflow-gpu
2.6.0 - 2.6.1PyPI
Published
Nov 05, 2021
Tracked Since
Feb 18, 2026