CVE-2021-37690: 
Python vulnerability analysis and mitigation

TensorFlow, an end-to-end open source platform for machine learning, was found to have a critical vulnerability (CVE-2021-37690) affecting versions prior to 2.6.0. The vulnerability was discovered and disclosed on August 13, 2021. The issue affects multiple versions of TensorFlow including versions before 2.3.4, 2.4.3, 2.5.1, and 2.6.0 (GitHub Advisory).

The vulnerability occurs when running shape functions, specifically in functions like MutableHashTableShape that produce extra output information in the form of a ShapeAndType struct. The shapes embedded in this struct are owned by an inference context that is cleaned up almost immediately. If the upstream code attempts to access this shape information after cleanup, it can trigger a segmentation fault. While ShapeRefiner mitigates this for normal output shapes by cloning them, it wasn't implementing the same protection for shapes and types. The vulnerability has been assigned a CVSS v3.1 base score of 6.6 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H (NVD).

The vulnerability can lead to a segmentation fault in the application, potentially causing denial of service. The issue affects the confidentiality, integrity, and availability of the system, with particularly high impact on availability due to the potential crash of the application (GitHub Advisory).

The issue has been patched in GitHub commit ee119d4a498979525046fba1c3dd3f13a039fbb1. The fix was included in TensorFlow 2.6.0 and was backported to versions 2.5.1, 2.4.3, and 2.3.4. Users are recommended to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).