AI Threat Alert

CVE-2021-37645: TensorFlow: integer overflow in quantize grad causes DoS

MEDIUM
Published August 12, 2021
CISO Take

CVE-2021-37645 is a medium-severity integer overflow in TensorFlow's QuantizeAndDequantizeV4Grad op that allows a local attacker with low privileges to crash TF processes by passing a negative axis value. Patch to TensorFlow 2.6.0, 2.5.1, or 2.4.3. Risk is bounded to DoS — no data exfiltration or code execution is possible — making this a normal-cycle patch unless you run multi-tenant ML training platforms.

What is the risk?

Low-to-medium operational risk. Requires local access and low privileges, limiting the attack surface to insider threats or compromised shared training environments. Impact is purely availability (process crash), with no confidentiality or integrity impact. Not in CISA KEV and no known active exploitation. Prioritize patching during normal maintenance unless operating multi-tenant ML platforms where untrusted users can submit arbitrary training jobs.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 5% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade TensorFlow to 2.6.0, 2.5.1, or 2.4.3 (fix commit 96f364a).

  2. Verify installed version: pip show tensorflow.

  3. If immediate patching is blocked, restrict training environment access to trusted users only — local execution privilege is required.

  4. On shared ML platforms (SageMaker, Vertex AI, MLflow), audit which users can submit arbitrary TF ops.

  5. Detection: Monitor for abnormal process crashes in TF training workers; repeated crashes in quantization ops warrant investigation.

How is it classified?

DoS Framework AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system risk management
NIST AI RMF
MANAGE-2.2 - AI risk treatment and monitoring

Frequently Asked Questions

What is CVE-2021-37645?

CVE-2021-37645 is a medium-severity integer overflow in TensorFlow's QuantizeAndDequantizeV4Grad op that allows a local attacker with low privileges to crash TF processes by passing a negative axis value. Patch to TensorFlow 2.6.0, 2.5.1, or 2.4.3. Risk is bounded to DoS — no data exfiltration or code execution is possible — making this a normal-cycle patch unless you run multi-tenant ML training platforms.

Is CVE-2021-37645 actively exploited?

No confirmed active exploitation of CVE-2021-37645 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37645?

1. Patch: Upgrade TensorFlow to 2.6.0, 2.5.1, or 2.4.3 (fix commit 96f364a). 2. Verify installed version: `pip show tensorflow`. 3. If immediate patching is blocked, restrict training environment access to trusted users only — local execution privilege is required. 4. On shared ML platforms (SageMaker, Vertex AI, MLflow), audit which users can submit arbitrary TF ops. 5. Detection: Monitor for abnormal process crashes in TF training workers; repeated crashes in quantization ops warrant investigation.

What systems are affected by CVE-2021-37645?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model optimization pipelines, shared ML platforms.

What is the CVSS score for CVE-2021-37645?

CVE-2021-37645 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.15%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel optimization pipelinesshared ML platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.QuantizeAndDequantizeV4Grad` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L126) uses the `axis` value as the size argument to `absl::InlinedVector` constructor. But, the constructor uses an unsigned type for the argument, so the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit 96f364a1ca3009f98980021c4b32be5fdcca33a1. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, and TensorFlow 2.4.3, as these are also affected and still in supported range.

Exploitation Scenario

A data scientist on a shared ML training platform or a malicious insider submits a training job using tf.raw_ops.QuantizeAndDequantizeV4Grad with a negative axis value (e.g., axis=-2147483648). The signed integer is implicitly cast to a massive unsigned integer in absl::InlinedVector, triggering an out-of-bounds memory allocation and crashing the TensorFlow worker process. On multi-tenant infrastructure this terminates co-located training jobs. In a model optimization pipeline, repeated triggering could stall quantized model production for edge deployment targets.

Weaknesses (CWE)

CWE-681 Incorrect Conversion between Numeric Types

CWE-681 — Incorrect Conversion between Numeric Types: When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

  • [Implementation] Avoid making conversion between numeric types. Always check for the allowed ranges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed