AI Threat Alert
CVE-2021-37657: TensorFlow: null ptr deref in MatrixDiagV ops
HIGHUnpatched TensorFlow instances (pre-2.6.0) are vulnerable to undefined behavior via malformed empty tensor inputs to MatrixDiagV operations, enabling crash or potential code execution with only local/low privileges. In shared ML environments—multi-tenant notebooks, model serving APIs, or CI/CD training pipelines—any user able to submit computation graphs can trigger this. Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately and audit container base images.
Risk Assessment
CVSS 7.8 High with local attack vector, low complexity, and low privilege requirements. Real-world risk is elevated in organizations running shared Jupyter environments, ML platforms accepting user-submitted models, or TF Serving endpoints that process external computation graphs. Standalone single-user deployments present lower risk. No known active exploitation as of publication date, but a PoC is trivially constructable from the public patch diff—lowering the bar to near-zero for any attacker with TF knowledge.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| tensorflow | pip | — | No patch |
Do you use tensorflow? You're affected.
Severity & Risk
Attack Surface
Recommended Action
5 steps-
Patch immediately: upgrade TensorFlow to 2.6.0, 2.5.1, 2.4.3, or 2.3.4 across all environments.
-
Inventory: audit pip/conda environments and container base images for vulnerable TF versions in training workers, serving pods, and CI/CD pipelines.
-
Workaround if patching is delayed: restrict submission of arbitrary computation graphs to TF services; add input validation enforcing non-zero tensor element count before MatrixDiagV calls.
-
Monitor: alert on unexpected process crashes in TF Serving or training workers as a potential exploitation signal.
-
Harden: run TF processes under least-privilege service accounts to limit blast radius if exploited.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2021-37657?
Unpatched TensorFlow instances (pre-2.6.0) are vulnerable to undefined behavior via malformed empty tensor inputs to MatrixDiagV operations, enabling crash or potential code execution with only local/low privileges. In shared ML environments—multi-tenant notebooks, model serving APIs, or CI/CD training pipelines—any user able to submit computation graphs can trigger this. Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately and audit container base images.
Is CVE-2021-37657 actively exploited?
No confirmed active exploitation of CVE-2021-37657 has been reported, but organizations should still patch proactively.
How to fix CVE-2021-37657?
1. Patch immediately: upgrade TensorFlow to 2.6.0, 2.5.1, 2.4.3, or 2.3.4 across all environments. 2. Inventory: audit pip/conda environments and container base images for vulnerable TF versions in training workers, serving pods, and CI/CD pipelines. 3. Workaround if patching is delayed: restrict submission of arbitrary computation graphs to TF services; add input validation enforcing non-zero tensor element count before MatrixDiagV calls. 4. Monitor: alert on unexpected process crashes in TF Serving or training workers as a potential exploitation signal. 5. Harden: run TF processes under least-privilege service accounts to limit blast radius if exploited.
What systems are affected by CVE-2021-37657?
This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, notebook environments, inference infrastructure.
What is the CVSS score for CVE-2021-37657?
CVE-2021-37657 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.04%.
Technical Details
NVD Description
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type `tf.raw_ops.MatrixDiagV*`. The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/linalg/matrix_diag_op.cc) has incomplete validation that the value of `k` is a valid tensor. We have check that this value is either a scalar or a vector, but there is no check for the number of elements. If this is an empty tensor, then code that accesses the first element of the tensor is wrong. We have patched the issue in GitHub commit f2a673bd34f0d64b8e40a551ac78989d16daad09. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Exploitation Scenario
An attacker with access to a shared ML platform—a data scientist on a multi-tenant Jupyter server, or an insider with API access to a model training queue—submits a computation graph containing a MatrixDiagV op with an empty tensor (zero elements) as the k parameter. The missing bounds check causes the C++ kernel to dereference a pointer to uninitialized memory. In most environments this yields a SIGSEGV crash, taking down the training worker or TF Serving pod (DoS). In a deliberately crafted memory layout, it becomes a potential arbitrary code execution primitive under the TF process identity, giving the attacker access to GPU resources, training data on disk, model artifacts, and any cloud credentials stored in environment variables or mounted secrets.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow