CVE-2021-41225: 
Python vulnerability analysis and mitigation

TensorFlow is an open source platform for machine learning. In affected versions prior to 2.7.0, TensorFlow's Grappler optimizer contained a use of uninitialized variable vulnerability. The issue was discovered and disclosed on November 4, 2021, affecting TensorFlow versions 2.4.0 through 2.6.x (GitHub Advisory).

The vulnerability occurs when the train_nodes vector (obtained from the saved model that gets optimized) does not contain a Dequeue node, resulting in the dequeue_node variable being left uninitialized before use. The issue has been assigned CVE-2021-41225 with a CVSS v3.1 base score of 5.5 MEDIUM according to GitHub's assessment, while the NVD rates it as 7.8 HIGH with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

When exploited, this vulnerability could lead to use of uninitialized memory, potentially resulting in program crashes or undefined behavior. The vulnerability requires local access and low privileges to exploit (NVD).

The issue has been patched in TensorFlow version 2.7.0. The fix was also backported to versions 2.6.1, 2.5.2, and 2.4.4. Users are advised to upgrade to these patched versions. The fix involves properly initializing the dequeue_node variable to nullptr (GitHub Commit).