CVE-2021-37642 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A division-by-zero in TensorFlow's ResourceScatterDiv operation allows any low-privileged local user to crash the TF process, causing a denial of service. Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately on shared or multi-tenant ML infrastructure. No data exposure or code execution risk — impact is limited to availability.

Risk Assessment

Medium risk overall, consistent with CVSS 5.5. Risk escalates in shared ML training clusters or multi-tenant GPU environments where untrusted operators can submit computation graphs. Production model serving pipelines that accept externally-supplied SavedModels face higher exposure than single-tenant development workstations. Not in CISA KEV and no evidence of active exploitation raises urgency to routine patching priority.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

Upgrade to TensorFlow 2.6.0 (preferred) or apply backport patches: 2.5.1, 2.4.3, 2.3.4.
Reference fix: GitHub commit 4aacb30888638da75023e6601149415b39763d76.
No effective workaround short of patching — avoid disabling the op as it breaks legitimate workloads.
Detection: monitor for TF process crashes with division-by-zero signals (SIGFPE) or abrupt job terminations in training orchestration logs.
In multi-tenant environments, restrict arbitrary computation graph submission until patched.
Pin TF versions in CI/CD dependency files and enable automated vulnerability scanning on ML dependencies.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity of high-risk AI systems

ISO 42001

A.9.3 - AI system availability and resilience

NIST AI RMF

MANAGE-2.4 - Residual risks and vulnerabilities from deployed AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37642?

A division-by-zero in TensorFlow's ResourceScatterDiv operation allows any low-privileged local user to crash the TF process, causing a denial of service. Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately on shared or multi-tenant ML infrastructure. No data exposure or code execution risk — impact is limited to availability.

Is CVE-2021-37642 actively exploited?

No confirmed active exploitation of CVE-2021-37642 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37642?

1. Upgrade to TensorFlow 2.6.0 (preferred) or apply backport patches: 2.5.1, 2.4.3, 2.3.4. 2. Reference fix: GitHub commit 4aacb30888638da75023e6601149415b39763d76. 3. No effective workaround short of patching — avoid disabling the op as it breaks legitimate workloads. 4. Detection: monitor for TF process crashes with division-by-zero signals (SIGFPE) or abrupt job terminations in training orchestration logs. 5. In multi-tenant environments, restrict arbitrary computation graph submission until patched. 6. Pin TF versions in CI/CD dependency files and enable automated vulnerability scanning on ML dependencies.

What systems are affected by CVE-2021-37642?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared GPU clusters, ML development environments.

What is the CVSS score for CVE-2021-37642?

CVE-2021-37642 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.ResourceScatterDiv` is vulnerable to a division by 0 error. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/resource_variable_ops.cc#L865) uses a common class for all binary operations but fails to treat the division by 0 case separately. We have patched the issue in GitHub commit 4aacb30888638da75023e6601149415b39763d76. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with a low-privilege account on a shared GPU training cluster (e.g., a data scientist account in a multi-tenant MLOps environment) crafts a TensorFlow computation graph invoking tf.raw_ops.ResourceScatterDiv with a divisor tensor containing zero. Executing this graph triggers an unhandled division-by-zero that immediately crashes the TF process. This terminates co-located training jobs and could be used repeatedly to sabotage competitor workloads in shared infrastructure or disrupt CI/CD ML pipelines. If TF Serving accepts externally-supplied SavedModels embedding this operation, an unauthenticated remote attacker could trigger the crash by uploading a malicious model.