CVE-2021-37650 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

TensorFlow versions prior to 2.6.0 contain a heap buffer overflow in TFRecord dataset operations triggered by non-string data types. Patch immediately if running TF 2.3.x–2.5.x in training pipelines, especially on shared ML infrastructure. The local access requirement is a weak mitigation in shared Jupyter or Kubernetes ML environments where multi-tenant access is common.

Risk Assessment

CVSS 7.8 HIGH with local attack vector and low privilege requirement. In typical ML training environments—shared Kubernetes clusters, Jupyter notebook servers, or MLOps platforms—the local constraint provides minimal protection. Heap corruption (CWE-787) creates potential for code execution beyond simple crashes, elevating real-world risk above what the base score implies in multi-tenant AI infrastructure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 3% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.6.0+, or apply backport patches to 2.5.1, 2.4.3, or 2.3.4.
Enforce strict schema validation on datasets before calling TFRecord ops—ensure all fields are string type.
Run training jobs in isolated containers with least-privilege service accounts and no shared filesystem access.
Audit ML pipeline code for uses of DatasetToTFRecord or ExperimentalDatasetToTFRecord with mixed-type datasets.
Monitor for unexpected process crashes or segfaults in training infrastructure as a detection signal.

Classification

Code Execution DoS Framework Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to sustain the value of AI systems over time

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37650?

TensorFlow versions prior to 2.6.0 contain a heap buffer overflow in TFRecord dataset operations triggered by non-string data types. Patch immediately if running TF 2.3.x–2.5.x in training pipelines, especially on shared ML infrastructure. The local access requirement is a weak mitigation in shared Jupyter or Kubernetes ML environments where multi-tenant access is common.

Is CVE-2021-37650 actively exploited?

No confirmed active exploitation of CVE-2021-37650 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37650?

1. Upgrade TensorFlow to 2.6.0+, or apply backport patches to 2.5.1, 2.4.3, or 2.3.4. 2. Enforce strict schema validation on datasets before calling TFRecord ops—ensure all fields are string type. 3. Run training jobs in isolated containers with least-privilege service accounts and no shared filesystem access. 4. Audit ML pipeline code for uses of DatasetToTFRecord or ExperimentalDatasetToTFRecord with mixed-type datasets. 5. Monitor for unexpected process crashes or segfaults in training infrastructure as a detection signal.

What systems are affected by CVE-2021-37650?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing, ML training infrastructure, shared Jupyter environments, MLOps platforms.

What is the CVSS score for CVE-2021-37650?

CVE-2021-37650 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation for `tf.raw_ops.ExperimentalDatasetToTFRecord` and `tf.raw_ops.DatasetToTFRecord` can trigger heap buffer overflow and segmentation fault. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/data/experimental/to_tf_record_op.cc#L93-L102) assumes that all records in the dataset are of string type. However, there is no check for that, and the example given above uses numeric types. We have patched the issue in GitHub commit e0b6e58c328059829c3eb968136f17aa72b6c876. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privileged access to a shared ML training cluster (e.g., a data scientist account on a multi-tenant Jupyter server) crafts a TensorFlow dataset containing numeric tensors and passes it to tf.raw_ops.DatasetToTFRecord. This triggers a heap buffer overflow in the kernel. On hardened systems this reliably crashes the training process (DoS); on older or misconfigured GPU nodes, heap spray techniques could achieve arbitrary code execution, enabling lateral movement across shared training infrastructure and access to co-tenants' model weights or training data.