CVE-2021-37636 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with low privileges can crash TensorFlow processes by triggering a division-by-zero in sparse tensor operations. No data exfiltration risk, but shared ML compute environments (Jupyter hubs, training clusters) are exposed to availability attacks. Patch immediately to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4.

Risk Assessment

MEDIUM. Local access and low privileges required significantly narrow the attack surface. Pure availability impact (no confidentiality or integrity risk). Risk escalates in multi-tenant ML platforms where shared Jupyter environments or training clusters allow co-tenants to deliberately crash others' workloads. Not actively exploited and no public weaponized PoC required — the trigger is a trivially crafted sparse tensor.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.6.0 (fix included) or apply cherry-picked commits to 2.5.1, 2.4.3, or 2.3.4. Commit d9204be9f49520cdaaeb2541d1dc5187b23f31d9 is the fix.
WORKAROUND

Add input validation to reject sparse tensors with zero-value denominators before passing to SparseDenseCwiseDiv.
ISOLATION

In multi-tenant ML platforms, enforce process-level isolation (separate containers/VMs per user) to prevent cross-tenant DoS.
DETECTION

Monitor for unexpected TensorFlow process crashes; alert on SIGFPE or divide-by-zero signals from TF worker processes.
INVENTORY

Identify any public-facing inference APIs or shared notebook platforms running affected TF versions.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

ISO 42001

A.6.2.5 - AI system availability and resilience

NIST AI RMF

GOVERN 1.7 - Processes and procedures are in place for decommissioning AI systems MANAGE 2.2 - Mechanisms to sustain AI risk management are planned

OWASP LLM Top 10

LLM06 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37636?

A local attacker with low privileges can crash TensorFlow processes by triggering a division-by-zero in sparse tensor operations. No data exfiltration risk, but shared ML compute environments (Jupyter hubs, training clusters) are exposed to availability attacks. Patch immediately to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4.

Is CVE-2021-37636 actively exploited?

No confirmed active exploitation of CVE-2021-37636 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37636?

1. PATCH: Upgrade to TensorFlow 2.6.0 (fix included) or apply cherry-picked commits to 2.5.1, 2.4.3, or 2.3.4. Commit d9204be9f49520cdaaeb2541d1dc5187b23f31d9 is the fix. 2. WORKAROUND: Add input validation to reject sparse tensors with zero-value denominators before passing to SparseDenseCwiseDiv. 3. ISOLATION: In multi-tenant ML platforms, enforce process-level isolation (separate containers/VMs per user) to prevent cross-tenant DoS. 4. DETECTION: Monitor for unexpected TensorFlow process crashes; alert on SIGFPE or divide-by-zero signals from TF worker processes. 5. INVENTORY: Identify any public-facing inference APIs or shared notebook platforms running affected TF versions.

What systems are affected by CVE-2021-37636?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML compute (Jupyter/notebook platforms).

What is the CVSS score for CVE-2021-37636?

CVE-2021-37636 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.SparseDenseCwiseDiv` is vulnerable to a division by 0 error. The [implementation](https://github.com/tensorflow/tensorflow/blob/a1bc56203f21a5a4995311825ffaba7a670d7747/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc#L56) uses a common class for all binary operations but fails to treat the division by 0 case separately. We have patched the issue in GitHub commit d9204be9f49520cdaaeb2541d1dc5187b23f31d9. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared ML training cluster or Jupyter hub constructs a sparse tensor where the dense divisor contains zero values, then calls tf.raw_ops.SparseDenseCwiseDiv(). The operation crashes the TensorFlow process immediately. In a shared environment, this aborts co-tenants' training jobs. If integrated into a model serving pipeline that accepts user-supplied sparse inputs without sanitization, an external attacker could repeatedly crash the inference service, effectively taking it offline.