CVE-2021-37644 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with minimal privileges can crash any TensorFlow process by passing a negative value to `TensorListReserve`, exploiting missing input validation in list kernel ops. In shared ML inference or training environments, this translates to service disruption with a trivially crafted input. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately — no workaround exists short of input sanitization at the application layer.

Risk Assessment

Medium severity overall, but contextually elevated in multi-tenant ML serving platforms. The local attack vector (AV:L) limits internet-exposed risk; however, in Jupyter notebook environments, MLflow experiment servers, or shared GPU clusters, any authenticated user can trigger a full process abort. No code execution or data exfiltration possible — pure availability impact. CVSS 5.5 accurately reflects standalone risk, but operational impact in production inference pipelines can be disproportionately higher.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch immediately

Upgrade to TensorFlow 2.6.0, or apply cherrypick commit 8a6e874 on TF 2.5.1, 2.4.3, or 2.3.4.
Inventory TF versions

Audit all environments (training, serving, notebooks) for affected versions.
Input validation

If patching is delayed, validate that num_elements arguments to list ops are non-negative at the application boundary before passing to TF ops.
Isolate serving endpoints

Ensure TF serving APIs do not accept raw op execution from untrusted users.
Monitor

Alert on unexpected TF process terminations — repeated crashes may indicate active exploitation or fuzzing attempts.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system robustness and availability

NIST AI RMF

MANAGE-2.2 - Incident response and recovery for AI risks

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37644?

A local attacker with minimal privileges can crash any TensorFlow process by passing a negative value to `TensorListReserve`, exploiting missing input validation in list kernel ops. In shared ML inference or training environments, this translates to service disruption with a trivially crafted input. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately — no workaround exists short of input sanitization at the application layer.

Is CVE-2021-37644 actively exploited?

No confirmed active exploitation of CVE-2021-37644 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37644?

1. **Patch immediately**: Upgrade to TensorFlow 2.6.0, or apply cherrypick commit 8a6e874 on TF 2.5.1, 2.4.3, or 2.3.4. 2. **Inventory TF versions**: Audit all environments (training, serving, notebooks) for affected versions. 3. **Input validation**: If patching is delayed, validate that `num_elements` arguments to list ops are non-negative at the application boundary before passing to TF ops. 4. **Isolate serving endpoints**: Ensure TF serving APIs do not accept raw op execution from untrusted users. 5. **Monitor**: Alert on unexpected TF process terminations — repeated crashes may indicate active exploitation or fuzzing attempts.

What systems are affected by CVE-2021-37644?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML notebooks.

What is the CVSS score for CVE-2021-37644?

CVE-2021-37644 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions providing a negative element to `num_elements` list argument of `tf.raw_ops.TensorListReserve` causes the runtime to abort the process due to reallocating a `std::vector` to have a negative number of elements. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/list_kernels.cc#L312) calls `std::vector.resize()` with the new size controlled by input given by the user, without checking that this input is valid. We have patched the issue in GitHub commit 8a6e874437670045e6c7dc6154c7412b4a2135e2. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared Jupyter notebook environment or an ML pipeline that accepts model artifacts calls `tf.raw_ops.TensorListReserve(element_shape=[], num_elements=tf.constant(-1), element_dtype=tf.float32)`. The TF runtime invokes `std::vector::resize(-1)` internally, triggering an immediate process abort. In a production inference server, this terminates the serving process, causing a denial of service for all concurrent users. In a Kubeflow or Vertex AI multi-tenant cluster, a malicious notebook user crashes the shared TF kernel, disrupting other users' workloads. Exploit requires no AI/ML expertise — a one-liner Python call is sufficient.