CVE-2021-37645 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

CVE-2021-37645 is a medium-severity integer overflow in TensorFlow's QuantizeAndDequantizeV4Grad op that allows a local attacker with low privileges to crash TF processes by passing a negative axis value. Patch to TensorFlow 2.6.0, 2.5.1, or 2.4.3. Risk is bounded to DoS — no data exfiltration or code execution is possible — making this a normal-cycle patch unless you run multi-tenant ML training platforms.

Risk Assessment

Low-to-medium operational risk. Requires local access and low privileges, limiting the attack surface to insider threats or compromised shared training environments. Impact is purely availability (process crash), with no confidentiality or integrity impact. Not in CISA KEV and no known active exploitation. Prioritize patching during normal maintenance unless operating multi-tenant ML platforms where untrusted users can submit arbitrary training jobs.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade TensorFlow to 2.6.0, 2.5.1, or 2.4.3 (fix commit 96f364a).
Verify installed version: pip show tensorflow.
If immediate patching is blocked, restrict training environment access to trusted users only — local execution privilege is required.
On shared ML platforms (SageMaker, Vertex AI, MLflow), audit which users can submit arbitrary TF ops.
Detection: Monitor for abnormal process crashes in TF training workers; repeated crashes in quantization ops warrant investigation.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system risk management

NIST AI RMF

MANAGE-2.2 - AI risk treatment and monitoring

Frequently Asked Questions

What is CVE-2021-37645?

CVE-2021-37645 is a medium-severity integer overflow in TensorFlow's QuantizeAndDequantizeV4Grad op that allows a local attacker with low privileges to crash TF processes by passing a negative axis value. Patch to TensorFlow 2.6.0, 2.5.1, or 2.4.3. Risk is bounded to DoS — no data exfiltration or code execution is possible — making this a normal-cycle patch unless you run multi-tenant ML training platforms.

Is CVE-2021-37645 actively exploited?

No confirmed active exploitation of CVE-2021-37645 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37645?

1. Patch: Upgrade TensorFlow to 2.6.0, 2.5.1, or 2.4.3 (fix commit 96f364a). 2. Verify installed version: `pip show tensorflow`. 3. If immediate patching is blocked, restrict training environment access to trusted users only — local execution privilege is required. 4. On shared ML platforms (SageMaker, Vertex AI, MLflow), audit which users can submit arbitrary TF ops. 5. Detection: Monitor for abnormal process crashes in TF training workers; repeated crashes in quantization ops warrant investigation.

What systems are affected by CVE-2021-37645?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model optimization pipelines, shared ML platforms.

What is the CVSS score for CVE-2021-37645?

CVE-2021-37645 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.QuantizeAndDequantizeV4Grad` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L126) uses the `axis` value as the size argument to `absl::InlinedVector` constructor. But, the constructor uses an unsigned type for the argument, so the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit 96f364a1ca3009f98980021c4b32be5fdcca33a1. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, and TensorFlow 2.4.3, as these are also affected and still in supported range.

Exploitation Scenario

A data scientist on a shared ML training platform or a malicious insider submits a training job using tf.raw_ops.QuantizeAndDequantizeV4Grad with a negative axis value (e.g., axis=-2147483648). The signed integer is implicitly cast to a massive unsigned integer in absl::InlinedVector, triggering an out-of-bounds memory allocation and crashing the TensorFlow worker process. On multi-tenant infrastructure this terminates co-located training jobs. In a model optimization pipeline, repeated triggering could stall quantized model production for edge deployment targets.