AI Threat Alert

CVE-2021-37644: TensorFlow: DoS via negative TensorListReserve input

MEDIUM
Published August 12, 2021
CISO Take

A local attacker with minimal privileges can crash any TensorFlow process by passing a negative value to `TensorListReserve`, exploiting missing input validation in list kernel ops. In shared ML inference or training environments, this translates to service disruption with a trivially crafted input. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately — no workaround exists short of input sanitization at the application layer.

What is the risk?

Medium severity overall, but contextually elevated in multi-tenant ML serving platforms. The local attack vector (AV:L) limits internet-exposed risk; however, in Jupyter notebook environments, MLflow experiment servers, or shared GPU clusters, any authenticated user can trigger a full process abort. No code execution or data exfiltration possible — pure availability impact. CVSS 5.5 accurately reflects standalone risk, but operational impact in production inference pipelines can be disproportionately higher.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 5% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch immediately

    Upgrade to TensorFlow 2.6.0, or apply cherrypick commit 8a6e874 on TF 2.5.1, 2.4.3, or 2.3.4.

  2. Inventory TF versions

    Audit all environments (training, serving, notebooks) for affected versions.

  3. Input validation

    If patching is delayed, validate that num_elements arguments to list ops are non-negative at the application boundary before passing to TF ops.

  4. Isolate serving endpoints

    Ensure TF serving APIs do not accept raw op execution from untrusted users.

  5. Monitor

    Alert on unexpected TF process terminations — repeated crashes may indicate active exploitation or fuzzing attempts.

How is it classified?

DoS Framework AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system robustness and availability
NIST AI RMF
MANAGE-2.2 - Incident response and recovery for AI risks
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37644?

A local attacker with minimal privileges can crash any TensorFlow process by passing a negative value to `TensorListReserve`, exploiting missing input validation in list kernel ops. In shared ML inference or training environments, this translates to service disruption with a trivially crafted input. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately — no workaround exists short of input sanitization at the application layer.

Is CVE-2021-37644 actively exploited?

No confirmed active exploitation of CVE-2021-37644 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37644?

1. **Patch immediately**: Upgrade to TensorFlow 2.6.0, or apply cherrypick commit 8a6e874 on TF 2.5.1, 2.4.3, or 2.3.4. 2. **Inventory TF versions**: Audit all environments (training, serving, notebooks) for affected versions. 3. **Input validation**: If patching is delayed, validate that `num_elements` arguments to list ops are non-negative at the application boundary before passing to TF ops. 4. **Isolate serving endpoints**: Ensure TF serving APIs do not accept raw op execution from untrusted users. 5. **Monitor**: Alert on unexpected TF process terminations — repeated crashes may indicate active exploitation or fuzzing attempts.

What systems are affected by CVE-2021-37644?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML notebooks.

What is the CVSS score for CVE-2021-37644?

CVE-2021-37644 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.15%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingshared ML notebooks

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 8.4
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions providing a negative element to `num_elements` list argument of `tf.raw_ops.TensorListReserve` causes the runtime to abort the process due to reallocating a `std::vector` to have a negative number of elements. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/list_kernels.cc#L312) calls `std::vector.resize()` with the new size controlled by input given by the user, without checking that this input is valid. We have patched the issue in GitHub commit 8a6e874437670045e6c7dc6154c7412b4a2135e2. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared Jupyter notebook environment or an ML pipeline that accepts model artifacts calls `tf.raw_ops.TensorListReserve(element_shape=[], num_elements=tf.constant(-1), element_dtype=tf.float32)`. The TF runtime invokes `std::vector::resize(-1)` internally, triggering an immediate process abort. In a production inference server, this terminates the serving process, causing a denial of service for all concurrent users. In a Kubeflow or Vertex AI multi-tenant cluster, a malicious notebook user crashes the shared TF kernel, disrupting other users' workloads. Exploit requires no AI/ML expertise — a one-liner Python call is sufficient.

Weaknesses (CWE)

CWE-617 Reachable Assertion

CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

  • [Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
  • [Implementation] Perform input validation on user data.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed