AI Threat Alert

CVE-2021-37650: TensorFlow: heap overflow in DatasetToTFRecord ops

HIGH
Published August 12, 2021
CISO Take

TensorFlow versions prior to 2.6.0 contain a heap buffer overflow in TFRecord dataset operations triggered by non-string data types. Patch immediately if running TF 2.3.x–2.5.x in training pipelines, especially on shared ML infrastructure. The local access requirement is a weak mitigation in shared Jupyter or Kubernetes ML environments where multi-tenant access is common.

What is the risk?

CVSS 7.8 HIGH with local attack vector and low privilege requirement. In typical ML training environments—shared Kubernetes clusters, Jupyter notebook servers, or MLOps platforms—the local constraint provides minimal protection. Heap corruption (CWE-787) creates potential for code execution beyond simple crashes, elevating real-world risk above what the base score implies in multi-tenant AI infrastructure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 8% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Upgrade TensorFlow to 2.6.0+, or apply backport patches to 2.5.1, 2.4.3, or 2.3.4.

  2. Enforce strict schema validation on datasets before calling TFRecord ops—ensure all fields are string type.

  3. Run training jobs in isolated containers with least-privilege service accounts and no shared filesystem access.

  4. Audit ML pipeline code for uses of DatasetToTFRecord or ExperimentalDatasetToTFRecord with mixed-type datasets.

  5. Monitor for unexpected process crashes or segfaults in training infrastructure as a detection signal.

How is it classified?

Code Execution DoS Framework Training Data AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system security
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place to sustain the value of AI systems over time
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37650?

TensorFlow versions prior to 2.6.0 contain a heap buffer overflow in TFRecord dataset operations triggered by non-string data types. Patch immediately if running TF 2.3.x–2.5.x in training pipelines, especially on shared ML infrastructure. The local access requirement is a weak mitigation in shared Jupyter or Kubernetes ML environments where multi-tenant access is common.

Is CVE-2021-37650 actively exploited?

No confirmed active exploitation of CVE-2021-37650 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37650?

1. Upgrade TensorFlow to 2.6.0+, or apply backport patches to 2.5.1, 2.4.3, or 2.3.4. 2. Enforce strict schema validation on datasets before calling TFRecord ops—ensure all fields are string type. 3. Run training jobs in isolated containers with least-privilege service accounts and no shared filesystem access. 4. Audit ML pipeline code for uses of DatasetToTFRecord or ExperimentalDatasetToTFRecord with mixed-type datasets. 5. Monitor for unexpected process crashes or segfaults in training infrastructure as a detection signal.

What systems are affected by CVE-2021-37650?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing, ML training infrastructure, shared Jupyter environments, MLOps platforms.

What is the CVSS score for CVE-2021-37650?

CVE-2021-37650 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.18%.

What is the AI security impact?

Affected AI Architectures

training pipelinesdata preprocessingML training infrastructureshared Jupyter environmentsMLOps platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation for `tf.raw_ops.ExperimentalDatasetToTFRecord` and `tf.raw_ops.DatasetToTFRecord` can trigger heap buffer overflow and segmentation fault. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/data/experimental/to_tf_record_op.cc#L93-L102) assumes that all records in the dataset are of string type. However, there is no check for that, and the example given above uses numeric types. We have patched the issue in GitHub commit e0b6e58c328059829c3eb968136f17aa72b6c876. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privileged access to a shared ML training cluster (e.g., a data scientist account on a multi-tenant Jupyter server) crafts a TensorFlow dataset containing numeric tensors and passes it to tf.raw_ops.DatasetToTFRecord. This triggers a heap buffer overflow in the kernel. On hardened systems this reliably crashes the training process (DoS); on older or misconfigured GPU nodes, heap spray techniques could achieve arbitrary code execution, enabling lateral movement across shared training infrastructure and access to co-tenants' model weights or training data.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed