CVE-2021-37637 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

This TensorFlow vulnerability allows any local user with low privileges to crash training jobs or data pipelines by passing malformed input to the CompressElement operation. In shared ML infrastructure — multi-user Jupyter environments, training clusters, or MLOps platforms — this enables disruption of competing workloads. Patch to TF 2.6.0 (or backports 2.5.1/2.4.3/2.3.4) and restrict untrusted code execution on shared training infrastructure.

Risk Assessment

Medium risk overall, but elevated in shared ML compute environments. Exploitation is trivial — no AI/ML expertise required, just passing an invalid buffer to a TF op. The attack surface is limited to local access, reducing exposure for cloud-isolated training jobs. However, multi-tenant ML platforms (internal Jupyter hubs, Kubeflow clusters, SageMaker Studio shared domains) are genuinely at risk of deliberate or accidental DoS. No confidentiality or integrity impact — pure availability play. Not in CISA KEV and no known active exploitation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.6.0 or apply backports to 2.5.1, 2.4.3, or 2.3.4.
COMPENSATING CONTROL

On shared ML infrastructure, enforce resource quotas and process isolation to limit blast radius of a triggered crash.
INPUT VALIDATION

If TF ops are exposed via a serving API or notebook gateway, validate that input buffers are non-null and properly sized before forwarding to CompressElement.
DETECTION

Monitor for unexpected TF process crashes or SIGSEGV signals in training job logs — abnormal termination without OOM or CUDA errors may indicate exploitation attempts.
INVENTORY

Identify internal tools and pipelines that call tf.raw_ops.CompressElement directly and prioritize patching those codebases.

Classification

DoS Framework Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

A.6.2 - AI system resources and operation

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain AI risk management MAP-5.1 - Likelihood and impact of AI risks

Frequently Asked Questions

What is CVE-2021-37637?

This TensorFlow vulnerability allows any local user with low privileges to crash training jobs or data pipelines by passing malformed input to the CompressElement operation. In shared ML infrastructure — multi-user Jupyter environments, training clusters, or MLOps platforms — this enables disruption of competing workloads. Patch to TF 2.6.0 (or backports 2.5.1/2.4.3/2.3.4) and restrict untrusted code execution on shared training infrastructure.

Is CVE-2021-37637 actively exploited?

No confirmed active exploitation of CVE-2021-37637 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37637?

1. PATCH: Upgrade TensorFlow to 2.6.0 or apply backports to 2.5.1, 2.4.3, or 2.3.4. 2. COMPENSATING CONTROL: On shared ML infrastructure, enforce resource quotas and process isolation to limit blast radius of a triggered crash. 3. INPUT VALIDATION: If TF ops are exposed via a serving API or notebook gateway, validate that input buffers are non-null and properly sized before forwarding to CompressElement. 4. DETECTION: Monitor for unexpected TF process crashes or SIGSEGV signals in training job logs — abnormal termination without OOM or CUDA errors may indicate exploitation attempts. 5. INVENTORY: Identify internal tools and pipelines that call tf.raw_ops.CompressElement directly and prioritize patching those codebases.

What systems are affected by CVE-2021-37637?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing pipelines, shared ML compute infrastructure, MLOps orchestration platforms.

What is the CVSS score for CVE-2021-37637?

CVE-2021-37637 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. It is possible to trigger a null pointer dereference in TensorFlow by passing an invalid input to `tf.raw_ops.CompressElement`. The [implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/data/compression_utils.cc#L34) was accessing the size of a buffer obtained from the return of a separate function call before validating that said buffer is valid. We have patched the issue in GitHub commit 5dc7f6981fdaf74c8c5be41f393df705841fb7c5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared Jupyter Hub or Kubeflow notebook environment submits a notebook that calls `tf.raw_ops.CompressElement` with a crafted invalid input — specifically a tensor that returns a null or empty buffer from an upstream op. TensorFlow dereferences the null pointer before validating the buffer, causing a segfault that kills the TensorFlow runtime process. On a shared training cluster, this crashes co-located training jobs. In an MLOps pipeline where data preprocessing is a shared service, this could take down the preprocessing stage for all concurrent pipeline runs, creating a denial-of-service condition across multiple teams or production workflows.