CVE-2021-41220

HIGH

TensorFlow 2.6.0 - Use-After-Free in CollectiveReduceV2 Async Implementation

Title source: llm
STIX 2.1

Description

TensorFlow is an open source platform for machine learning. In affected versions the async implementation of `CollectiveReduceV2` suffers from a memory leak and a use after free. This occurs due to the asynchronous computation and the fact that objects that have been `std::move()`d from are still accessed. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, as this version is the only one that is also affected.

References (2)

Core 2

Scores

CVSS v3 7.8
EPSS 0.0020
EPSS Percentile 10.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (5)
google/tensorflow 2.7.0 rc0 (2 CPE variants)
google/tensorflow 2.6.0 - 2.6.1
pypi/tensorflow 2.6.0 - 2.6.1PyPI
pypi/tensorflow-cpu 2.6.0 - 2.6.1PyPI
pypi/tensorflow-gpu 2.6.0 - 2.6.1PyPI
Published Nov 05, 2021
Tracked Since Feb 18, 2026