{"id":"CVE-2021-41227","details":"TensorFlow is an open source platform for machine learning. In affected versions the `ImmutableConst` operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the `tstring` TensorFlow string class has a special case for memory mapped strings but the operation itself does not offer any support for this datatype. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.","aliases":["BIT-tensorflow-2021-41227","GHSA-j8c8-67vp-6mx7","PYSEC-2021-419","PYSEC-2021-636","PYSEC-2021-834"],"modified":"2026-04-11T18:45:27.270556Z","published":"2021-11-05T23:15:08.603Z","related":["GHSA-j8c8-67vp-6mx7","openSUSE-SU-2024:12116-1"],"references":[{"type":"FIX","url":"https://github.com/tensorflow/tensorflow/commit/1cb6bb6c2a6019417c9adaf9e6843ba75ee2580b"},{"type":"FIX","url":"https://github.com/tensorflow/tensorflow/commit/3712a2d3455e6ccb924daa5724a3652a86f6b585"},{"type":"FIX","url":"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-j8c8-67vp-6mx7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tensorflow/tensorflow","events":[{"introduced":"582c8d236cb079023657287c318ff26adb239002"},{"fixed":"64918868e2154b06c7479347a59a4230f785e9fa"},{"introduced":"a4dfb8d1a71385bd6d122e4f27f86dcebb96712d"},{"fixed":"957590ea15cc03ee2e00fc61934647d54836676f"},{"introduced":"919f693420e35d00c8d0a42100837ae3718f7927"},{"fixed":"3aa40c3ce9d16eae296f086bc4ac4d62deb2affc"},{"introduced":"0"},{"last_affected":"ce35e5c3a8efdb8161c6a85c8fb9ffb5bbdc9ffd"},{"introduced":"0"},{"last_affected":"ff68385595088304cf772086b9a259a65b007622"},{"fixed":"1cb6bb6c2a6019417c9adaf9e6843ba75ee2580b"},{"fixed":"3712a2d3455e6ccb924daa5724a3652a86f6b585"}],"database_specific":{"versions":[{"introduced":"2.4.0"},{"fixed":"2.4.4"},{"introduced":"2.5.0"},{"fixed":"2.5.2"},{"introduced":"2.6.0"},{"fixed":"2.6.1"},{"introduced":"0"},{"last_affected":"2.7.0-rc0"},{"introduced":"0"},{"last_affected":"2.7.0-rc1"}]}}],"versions":["0.5.0","0.6.0","v1.1.0-rc1","v1.1.0-rc2","v1.12.1","v1.6.0-rc1","v1.9.0-rc2","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.5.0","v2.5.1","v2.6.0","v2.7.0-rc0","v2.7.0-rc1"],"database_specific":{"vanir_signatures_modified":"2026-04-11T18:45:27Z","vanir_signatures":[{"digest":{"line_hashes":["174045081348514498752730489800441352242","30464841647973856328208289424462580878","195798040939069581557000738169115321784","49797799207709018406352749205998805655"],"threshold":0.9},"target":{"file":"tensorflow/core/platform/ctstring_test.cc"},"signature_type":"Line","id":"CVE-2021-41227-0e41b8b8","source":"https://github.com/tensorflow/tensorflow/commit/3712a2d3455e6ccb924daa5724a3652a86f6b585","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["35840795396962144014266088504210165780","35053958395221606983544747048853920868","80120273600559697313878852809814669821","175475655232241599018261031739131379724","77660345209067020250542101862374780047","75786973220184405262794269869674926479","5088270022996537920928290966536847304","269293649387194532300058645244217819366","257366336390877788451162406419020869880","152071640746727329423373538796124985370","276688397315747986970434659459001530969"],"threshold":0.9},"target":{"file":"tensorflow/core/kernels/immutable_constant_op_test.cc"},"signature_type":"Line","id":"CVE-2021-41227-40c98fe5","source":"https://github.com/tensorflow/tensorflow/commit/1cb6bb6c2a6019417c9adaf9e6843ba75ee2580b","deprecated":false,"signature_version":"v1"},{"digest":{"length":354,"function_hash":"80326281629030041451528937454896159459"},"target":{"file":"tensorflow/core/kernels/immutable_constant_op.cc","function":"ImmutableConstantOp::Compute"},"signature_type":"Function","id":"CVE-2021-41227-be37b465","source":"https://github.com/tensorflow/tensorflow/commit/1cb6bb6c2a6019417c9adaf9e6843ba75ee2580b","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["289779612321949807918814440226489956559","150131526686098343033425028200904733936","213580123553828566148579833950586627467","148701117315135864890098543200550143909"],"threshold":0.9},"target":{"file":"tensorflow/core/kernels/immutable_constant_op.cc"},"signature_type":"Line","id":"CVE-2021-41227-ea1068a5","source":"https://github.com/tensorflow/tensorflow/commit/1cb6bb6c2a6019417c9adaf9e6843ba75ee2580b","deprecated":false,"signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41227.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}