CVE-2021-37639 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

A low-privilege local attacker can crash TensorFlow processes or read arbitrary heap memory by supplying malformed tensor names during checkpoint restoration. Shared ML training infrastructure—GPU clusters, Jupyter hubs, multi-tenant cloud notebooks—is the primary risk surface where cross-user data leakage is plausible. Patch all TensorFlow deployments to 2.6.0 or the backported 2.5.1/2.4.3/2.3.4 releases; no workaround substitutes for the patch.

Risk Assessment

CVSS 7.8 High with local attack vector and low privilege requirement. Risk is elevated in multi-tenant ML infrastructure where untrusted or compromised users can invoke TF operations. Beyond simple DoS, the heap OOB read (CWE-125) poses a data leakage risk—heap memory may contain model weights, training samples, or in-process credentials. Not in CISA KEV and no evidence of active exploitation, but low attack complexity (AC:L, PR:L) makes weaponization accessible to motivated insiders.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.6.0 or apply backports: 2.5.1, 2.4.3, or 2.3.4 (all contain patch commit 9e82dce6e6bd1f36a57e08fa85af213e2b2f2622).
Audit any code invoking raw save/restore tensor APIs—validate tensor_name is non-empty and preferred_shard is within bounds before calling.
Restrict unprivileged users from direct access to raw TF checkpoint/session APIs in shared environments.
Monitor ML infrastructure for unexpected process segfaults or OOB errors in application logs as exploitation indicators.
In shared training clusters, enforce process isolation (namespaces, separate nodes) between untrusted workloads.

Classification

Code Execution Data Extraction Framework Training Data AML.T0010.001 - AI Software AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk treatment

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2021-37639?

A low-privilege local attacker can crash TensorFlow processes or read arbitrary heap memory by supplying malformed tensor names during checkpoint restoration. Shared ML training infrastructure—GPU clusters, Jupyter hubs, multi-tenant cloud notebooks—is the primary risk surface where cross-user data leakage is plausible. Patch all TensorFlow deployments to 2.6.0 or the backported 2.5.1/2.4.3/2.3.4 releases; no workaround substitutes for the patch.

Is CVE-2021-37639 actively exploited?

No confirmed active exploitation of CVE-2021-37639 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37639?

1. Upgrade TensorFlow to 2.6.0 or apply backports: 2.5.1, 2.4.3, or 2.3.4 (all contain patch commit 9e82dce6e6bd1f36a57e08fa85af213e2b2f2622). 2. Audit any code invoking raw save/restore tensor APIs—validate tensor_name is non-empty and preferred_shard is within bounds before calling. 3. Restrict unprivileged users from direct access to raw TF checkpoint/session APIs in shared environments. 4. Monitor ML infrastructure for unexpected process segfaults or OOB errors in application logs as exploitation indicators. 5. In shared training clusters, enforce process isolation (namespaces, separate nodes) between untrusted workloads.

What systems are affected by CVE-2021-37639?

This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Model checkpointing workflows, Shared ML training infrastructure, Model serving with checkpoint loading, ML development environments (Jupyter, notebooks).

What is the CVSS score for CVE-2021-37639?

CVE-2021-37639 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. When restoring tensors via raw APIs, if the tensor name is not provided, TensorFlow can be tricked into dereferencing a null pointer. Alternatively, attackers can read memory outside the bounds of heap allocated data by providing some tensor names but not enough for a successful restoration. The [implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/kernels/save_restore_tensor.cc#L158-L159) retrieves the tensor list corresponding to the `tensor_name` user controlled input and immediately retrieves the tensor at the restoration index (controlled via `preferred_shard` argument). This occurs without validating that the provided list has enough values. If the list is empty this results in dereferencing a null pointer (undefined behavior). If, however, the list has some elements, if the restoration index is outside the bounds this results in heap OOB read. We have patched the issue in GitHub commit 9e82dce6e6bd1f36a57e08fa85af213e2b2f2622. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An insider or attacker with a compromised low-privilege account on a shared GPU training cluster invokes TensorFlow's raw restore tensor API with either an empty tensor name (null pointer dereference, process crash) or a tensor name that resolves to a short list paired with an out-of-bounds shard index. In the OOB read path, the attacker iterates shard indices to read adjacent heap allocations—potentially extracting model weights, in-flight training batches, or authentication tokens cached by co-running processes. On a JupyterHub node where multiple data scientists share the same TF runtime, this enables cross-user data extraction without elevated privileges.