AI Threat Alert

CVE-2021-37637: TensorFlow: null ptr dereference in CompressElement (DoS)

MEDIUM
Published August 12, 2021
CISO Take

This TensorFlow vulnerability allows any local user with low privileges to crash training jobs or data pipelines by passing malformed input to the CompressElement operation. In shared ML infrastructure — multi-user Jupyter environments, training clusters, or MLOps platforms — this enables disruption of competing workloads. Patch to TF 2.6.0 (or backports 2.5.1/2.4.3/2.3.4) and restrict untrusted code execution on shared training infrastructure.

What is the risk?

Medium risk overall, but elevated in shared ML compute environments. Exploitation is trivial — no AI/ML expertise required, just passing an invalid buffer to a TF op. The attack surface is limited to local access, reducing exposure for cloud-isolated training jobs. However, multi-tenant ML platforms (internal Jupyter hubs, Kubeflow clusters, SageMaker Studio shared domains) are genuinely at risk of deliberate or accidental DoS. No confidentiality or integrity impact — pure availability play. Not in CISA KEV and no known active exploitation.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 5% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. PATCH

    Upgrade TensorFlow to 2.6.0 or apply backports to 2.5.1, 2.4.3, or 2.3.4.

  2. COMPENSATING CONTROL

    On shared ML infrastructure, enforce resource quotas and process isolation to limit blast radius of a triggered crash.

  3. INPUT VALIDATION

    If TF ops are exposed via a serving API or notebook gateway, validate that input buffers are non-null and properly sized before forwarding to CompressElement.

  4. DETECTION

    Monitor for unexpected TF process crashes or SIGSEGV signals in training job logs — abnormal termination without OOM or CUDA errors may indicate exploitation attempts.

  5. INVENTORY

    Identify internal tools and pipelines that call tf.raw_ops.CompressElement directly and prioritize patching those codebases.

How is it classified?

DoS Framework Training Data AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system
ISO 42001
A.6.2 - AI system resources and operation
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain AI risk management MAP-5.1 - Likelihood and impact of AI risks

Frequently Asked Questions

What is CVE-2021-37637?

This TensorFlow vulnerability allows any local user with low privileges to crash training jobs or data pipelines by passing malformed input to the CompressElement operation. In shared ML infrastructure — multi-user Jupyter environments, training clusters, or MLOps platforms — this enables disruption of competing workloads. Patch to TF 2.6.0 (or backports 2.5.1/2.4.3/2.3.4) and restrict untrusted code execution on shared training infrastructure.

Is CVE-2021-37637 actively exploited?

No confirmed active exploitation of CVE-2021-37637 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37637?

1. PATCH: Upgrade TensorFlow to 2.6.0 or apply backports to 2.5.1, 2.4.3, or 2.3.4. 2. COMPENSATING CONTROL: On shared ML infrastructure, enforce resource quotas and process isolation to limit blast radius of a triggered crash. 3. INPUT VALIDATION: If TF ops are exposed via a serving API or notebook gateway, validate that input buffers are non-null and properly sized before forwarding to CompressElement. 4. DETECTION: Monitor for unexpected TF process crashes or SIGSEGV signals in training job logs — abnormal termination without OOM or CUDA errors may indicate exploitation attempts. 5. INVENTORY: Identify internal tools and pipelines that call tf.raw_ops.CompressElement directly and prioritize patching those codebases.

What systems are affected by CVE-2021-37637?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing pipelines, shared ML compute infrastructure, MLOps orchestration platforms.

What is the CVSS score for CVE-2021-37637?

CVE-2021-37637 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.16%.

What is the AI security impact?

Affected AI Architectures

training pipelinesdata preprocessing pipelinesshared ML compute infrastructureMLOps orchestration platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.9
ISO 42001: A.6.2
NIST AI RMF: MANAGE-2.2, MAP-5.1

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. It is possible to trigger a null pointer dereference in TensorFlow by passing an invalid input to `tf.raw_ops.CompressElement`. The [implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/data/compression_utils.cc#L34) was accessing the size of a buffer obtained from the return of a separate function call before validating that said buffer is valid. We have patched the issue in GitHub commit 5dc7f6981fdaf74c8c5be41f393df705841fb7c5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared Jupyter Hub or Kubeflow notebook environment submits a notebook that calls `tf.raw_ops.CompressElement` with a crafted invalid input — specifically a tensor that returns a null or empty buffer from an upstream op. TensorFlow dereferences the null pointer before validating the buffer, causing a segfault that kills the TensorFlow runtime process. On a shared training cluster, this crashes co-located training jobs. In an MLOps pipeline where data preprocessing is a shared service, this could take down the preprocessing stage for all concurrent pipeline runs, creating a denial-of-service condition across multiple teams or production workflows.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed