CVE-2021-41225
MEDIUMTensorFlow 2.4.0-2.4.3, 2.6.0 - Use of Uninitialized Variable in Grappler Optimizer
Title source: llmDescription
TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's Grappler optimizer has a use of unitialized variable. If the `train_nodes` vector (obtained from the saved model that gets optimized) does not contain a `Dequeue` node, then `dequeue_node` is left unitialized. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7r94-xv9v-63jw
Patch, Third Party Advisory x_refsource_misc
https://github.com/tensorflow/tensorflow/commit/68867bf01239d9e1048f98cbad185bf4761bedd3
Scores
CVSS v3
5.5
EPSS
0.0019
EPSS Percentile
8.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-908
Status
published
Products (5)
google/tensorflow
2.7.0 rc0 (2 CPE variants)
google/tensorflow
2.4.0 - 2.4.4
pypi/tensorflow
2.6.0 - 2.6.1PyPI
pypi/tensorflow-cpu
2.6.0 - 2.6.1PyPI
pypi/tensorflow-gpu
2.6.0 - 2.6.1PyPI
Published
Nov 05, 2021
Tracked Since
Feb 18, 2026