CVE-2021-29516 in TensorFlow
Summary
by MITRE • 05/15/2021
TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.RaggedTensorToVariant` with arguments specifying an invalid ragged tensor results in a null pointer dereference. The implementation of `RaggedTensorToVariant` operations(https://github.com/tensorflow/tensorflow/blob/904b3926ed1c6c70380d5313d282d248a776baa1/tensorflow/core/kernels/ragged_tensor_to_variant_op.cc#L39-L40) does not validate that the ragged tensor argument is non-empty. Since `batched_ragged` contains no elements, `batched_ragged.splits` is a null vector, thus `batched_ragged.splits(0)` will result in dereferencing `nullptr`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/16/2021
The vulnerability CVE-2021-29516 represents a critical null pointer dereference flaw in TensorFlow's implementation of the `RaggedTensorToVariant` operation. This issue specifically affects the raw operations interface within TensorFlow's machine learning platform, where improper validation of ragged tensor arguments leads to system instability. The vulnerability manifests when the `tf.raw_ops.RaggedTensorToVariant` function receives invalid ragged tensor inputs that specify empty or malformed tensor structures, creating conditions that result in memory access violations.
The technical root cause stems from inadequate input validation within the `RaggedTensorToVariant` implementation located in TensorFlow's kernel components. According to the source code analysis, the operation fails to verify that the ragged tensor argument contains valid elements before proceeding with processing. When a batched ragged tensor is provided without elements, the `batched_ragged.splits` attribute becomes a null vector, causing subsequent access to `batched_ragged.splits(0)` to attempt dereferencing a null pointer. This fundamental validation gap creates a predictable crash condition that can be exploited by malicious actors to cause denial of service or potentially escalate privileges depending on the execution context.
This vulnerability directly maps to CWE-476, which describes null pointer dereference conditions in software systems. The operational impact extends beyond simple application crashes to potentially affect machine learning workflows and training environments where TensorFlow serves as the underlying computational framework. Attackers could leverage this weakness to disrupt machine learning pipelines, cause system instability in production environments, or potentially use it as part of a broader exploitation chain targeting TensorFlow-based applications. The vulnerability affects multiple TensorFlow versions including 2.1.4, 2.2.3, 2.3.3, 2.4.2, and the upcoming 2.5.0 release, indicating a widespread impact across the platform's supported versions.
The fix implementation addresses this by incorporating proper validation checks that ensure ragged tensor arguments contain non-empty elements before attempting to access their internal structures. This approach aligns with ATT&CK technique T1499.004, which covers network denial of service attacks through exploitation of software vulnerabilities. Organizations utilizing TensorFlow in production environments must immediately apply the patches to versions 2.1.4 through 2.4.2, as these releases remain within the supported maintenance window. The remediation strategy involves implementing input validation mechanisms that prevent null pointer dereference conditions while maintaining backward compatibility with existing TensorFlow workflows and applications. System administrators should prioritize patch deployment across all affected TensorFlow installations to mitigate potential exploitation risks and ensure continued system stability in machine learning environments.