CVE-2021-37646 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

This is a medium-severity local denial-of-service in TensorFlow's text processing op. Patch to TF 2.6.0 / backport versions (2.5.1, 2.4.3, 2.3.4) as part of routine dependency hygiene. Risk is elevated for NLP training pipelines or model-serving endpoints that accept user-controlled text parameters — an attacker supplying negative ngram_widths can crash the TF process.

Risk Assessment

Medium operational risk. Attack vector is local (AV:L) and requires low privileges, limiting opportunistic exploitation from the internet. However, in ML serving environments where user inputs are passed through TF ops without sanitization, a malicious payload could trigger the overflow remotely via the application layer. No active exploitation observed, not in CISA KEV. Primary concern is pipeline availability, not data confidentiality or model integrity.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow >= 2.6.0, or apply cherrypicks to 2.5.1 / 2.4.3 / 2.3.4.
Input validation: Enforce that ngram_widths values are positive integers before passing to StringNGrams. Sanitize at API boundaries before any TF op receives user-controlled parameters.
Process isolation: Run TF inference workers in containers with restart policies so a crash does not cause prolonged service outage.
Detection: Monitor for TF process crashes or OOM errors in ML inference logs; anomalous allocation failures in string preprocessing can indicate exploit attempts.
Verify: Run tf.__version__ in all environments; audit requirements.txt / Pipfile.lock for pinned vulnerable versions.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Annex IV - 2(f) - Cybersecurity and robustness requirements for high-risk AI systems

ISO 42001

A.6.2.5 - AI system software vulnerability management

NIST AI RMF

GOVERN-1.7 - Processes for identifying and addressing AI system vulnerabilities MANAGE-2.2 - Risks from third-party AI software and dependencies

Frequently Asked Questions

What is CVE-2021-37646?

This is a medium-severity local denial-of-service in TensorFlow's text processing op. Patch to TF 2.6.0 / backport versions (2.5.1, 2.4.3, 2.3.4) as part of routine dependency hygiene. Risk is elevated for NLP training pipelines or model-serving endpoints that accept user-controlled text parameters — an attacker supplying negative ngram_widths can crash the TF process.

Is CVE-2021-37646 actively exploited?

No confirmed active exploitation of CVE-2021-37646 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37646?

1. Patch: Upgrade to TensorFlow >= 2.6.0, or apply cherrypicks to 2.5.1 / 2.4.3 / 2.3.4. 2. Input validation: Enforce that ngram_widths values are positive integers before passing to StringNGrams. Sanitize at API boundaries before any TF op receives user-controlled parameters. 3. Process isolation: Run TF inference workers in containers with restart policies so a crash does not cause prolonged service outage. 4. Detection: Monitor for TF process crashes or OOM errors in ML inference logs; anomalous allocation failures in string preprocessing can indicate exploit attempts. 5. Verify: Run `tf.__version__` in all environments; audit requirements.txt / Pipfile.lock for pinned vulnerable versions.

What systems are affected by CVE-2021-37646?

This vulnerability affects the following AI/ML architecture patterns: NLP training pipelines, text preprocessing pipelines, model serving, data ingestion pipelines.

What is the CVSS score for CVE-2021-37646?

CVE-2021-37646 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.StringNGrams` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/string_ngrams_op.cc#L184) calls `reserve` on a `tstring` with a value that sometimes can be negative if user supplies negative `ngram_widths`. The `reserve` method calls `TF_TString_Reserve` which has an `unsigned long` argument for the size of the buffer. Hence, the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit c283e542a3f422420cfdb332414543b62fc4e4a5. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an NLP model-serving API sends a crafted request with negative ngram_widths (e.g., -1) to an endpoint that invokes tf.raw_ops.StringNGrams internally. The application does not validate the parameter before passing it to TensorFlow. TF converts -1 (signed int) to an enormous unsigned long, calls reserve() requesting gigabytes of memory, and the process crashes with an OOM error. The adversary repeats this at high frequency, causing persistent DoS to the inference service — effectively taking down the ML capability with trivial, unauthenticated HTTP requests if the parameter is user-controlled.