CVE-2021-37654 — HIGH (CVSS 7.1) AI Security Vulnerability

CISO Take

Any user able to execute TensorFlow code in your environment — data scientists, notebook users, shared training jobs — can crash the ML runtime or read heap memory beyond tensor bounds. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately. In multi-tenant GPU clusters or shared Jupyter environments, this is a lateral data exposure risk, not just a crash.

Risk Assessment

CVSS 7.1 understates real-world risk in ML environments. 'Local' access in ML contexts means any user with notebook or training job execution rights — a standard data scientist role. Low attack complexity means no ML expertise is required: pass an out-of-range batch_dims integer to tf.raw_ops.ResourceGather and the vulnerability triggers. Confidentiality impact is HIGH because out-of-bounds heap reads can expose adjacent tensor data, potentially leaking training data, model weights, or credentials loaded into memory by co-located processes in shared GPU nodes.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 — all contain commit bc9c546c.
DETECT

Audit TF version across all environments: pip show tensorflow | grep Version. Scan container images in your registry for pinned vulnerable TF versions.
WORKAROUND

If patching is blocked, add input validation to reject batch_dims values >= tensor rank before passing to tf.raw_ops.ResourceGather.
HARDEN

In shared environments, enforce process isolation per user (separate containers/VMs) to contain heap exposure.
MONITOR

Alert on TF crashes (check logs for CHECK-fail patterns) as potential exploitation indicator.

Classification

DoS Data Extraction Framework Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security and resilience

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to inventory AI risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2021-37654?

Any user able to execute TensorFlow code in your environment — data scientists, notebook users, shared training jobs — can crash the ML runtime or read heap memory beyond tensor bounds. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately. In multi-tenant GPU clusters or shared Jupyter environments, this is a lateral data exposure risk, not just a crash.

Is CVE-2021-37654 actively exploited?

No confirmed active exploitation of CVE-2021-37654 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37654?

1. PATCH: Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 — all contain commit bc9c546c. 2. DETECT: Audit TF version across all environments: `pip show tensorflow | grep Version`. Scan container images in your registry for pinned vulnerable TF versions. 3. WORKAROUND: If patching is blocked, add input validation to reject batch_dims values >= tensor rank before passing to tf.raw_ops.ResourceGather. 4. HARDEN: In shared environments, enforce process isolation per user (separate containers/VMs) to contain heap exposure. 5. MONITOR: Alert on TF crashes (check logs for CHECK-fail patterns) as potential exploitation indicator.

What systems are affected by CVE-2021-37654?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML compute clusters, embedding-based recommendation systems, transformer/NLP training infrastructure.

What is the CVSS score for CVE-2021-37654?

CVE-2021-37654 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a crash via a `CHECK`-fail in debug builds of TensorFlow using `tf.raw_ops.ResourceGather` or a read from outside the bounds of heap allocated data in the same API in a release build. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/resource_variable_ops.cc#L660-L668) does not check that the `batch_dims` value that the user supplies is less than the rank of the input tensor. Since the implementation uses several for loops over the dimensions of `tensor`, this results in reading data from outside the bounds of heap allocated buffer backing the tensor. We have patched the issue in GitHub commit bc9c546ce7015c57c2f15c168b3d9201de679a1d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

A data scientist on a shared ML cluster submits a training job that calls tf.raw_ops.ResourceGather with a batch_dims value equal to or exceeding the input tensor's rank. In debug builds, this triggers a CHECK-fail crash that terminates the TF process, disrupting co-located training jobs. In production builds, TF iterates past heap buffer boundaries, reading memory from adjacent allocations — potentially exposing another user's in-memory training batch, embedding weights, or environment variables containing API keys loaded by the TF runtime. On multi-tenant GPU instances (common in cloud ML platforms), this becomes a cross-tenant data leak vector requiring only standard TF API access.