CVE-2021-37659 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Upgrade TensorFlow to 2.6.0, 2.5.1, 2.4.3, or 2.3.4 on all training and inference infrastructure immediately. While local access is required, shared ML platforms—Jupyter hubs, GPU clusters, containerized MLOps pipelines—are routine attack surfaces where any low-privileged user can trigger this. Heap corruption enables privilege escalation beyond model code isolation boundaries, threatening host-level compromise.

Risk Assessment

Effective risk is moderate-to-high in shared ML compute environments despite the local attack vector. CVSS 7.8 reflects full CIA impact (C:H/I:H/A:H) with low complexity and low privileges—any user who can submit a TensorFlow job can exploit this. Shared GPU clusters, notebook platforms, and containerized training workers amplify the local-access barrier. Not in CISA KEV and no confirmed active exploitation, but the patch has been public since 2021; unpatched deployments represent an inexcusable residual risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch immediately: upgrade to TensorFlow >= 2.6.0 or apply cherrypicks for 2.5.1, 2.4.3, 2.3.4 (commit 93f428fd1768df147171ed674fee1fc5ab8309ec).
Audit all TF deployments: scan CI/CD runners, Jupyter environments, and container images—pip show tensorflow or pip3 show tensorflow.
Enforce tensor shape validation at pipeline ingestion points before ops execute to reduce attack surface.
Run training jobs under dedicated least-privilege service accounts to contain blast radius if exploited.
Detection: monitor for SIGSEGV/SIGABRT in TF worker logs and unexpected core dumps from training processes; heap OOB often manifests as intermittent crashes before controlled exploitation.

Classification

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0044 - Full AI Model Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.3 - Third-party AI components A.6.1.4 - AI system risk assessment

NIST AI RMF

GOVERN-1.1 - Policies for AI risk management MANAGE-2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37659?

Upgrade TensorFlow to 2.6.0, 2.5.1, 2.4.3, or 2.3.4 on all training and inference infrastructure immediately. While local access is required, shared ML platforms—Jupyter hubs, GPU clusters, containerized MLOps pipelines—are routine attack surfaces where any low-privileged user can trigger this. Heap corruption enables privilege escalation beyond model code isolation boundaries, threatening host-level compromise.

Is CVE-2021-37659 actively exploited?

No confirmed active exploitation of CVE-2021-37659 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37659?

1. Patch immediately: upgrade to TensorFlow >= 2.6.0 or apply cherrypicks for 2.5.1, 2.4.3, 2.3.4 (commit 93f428fd1768df147171ed674fee1fc5ab8309ec). 2. Audit all TF deployments: scan CI/CD runners, Jupyter environments, and container images—`pip show tensorflow` or `pip3 show tensorflow`. 3. Enforce tensor shape validation at pipeline ingestion points before ops execute to reduce attack surface. 4. Run training jobs under dedicated least-privilege service accounts to contain blast radius if exploited. 5. Detection: monitor for SIGSEGV/SIGABRT in TF worker logs and unexpected core dumps from training processes; heap OOB often manifests as intermittent crashes before controlled exploitation.

What systems are affected by CVE-2021-37659?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps platforms, Jupyter/notebook environments.

What is the CVSS score for CVE-2021-37659?

CVE-2021-37659 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all binary cwise operations that don't require broadcasting (e.g., gradients of binary cwise operations). The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/cwise_ops_common.h#L264) assumes that the two inputs have exactly the same number of elements but does not check that. Hence, when the eigen functor executes it triggers heap OOB reads and undefined behavior due to binding to nullptr. We have patched the issue in GitHub commit 93f428fd1768df147171ed674fee1fc5ab8309ec. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privilege access to a shared GPU training cluster—e.g., a compromised data scientist account or a malicious CI pipeline contribution—submits a TensorFlow training job invoking a binary element-wise operation (such as a custom gradient layer) with two tensors of deliberately mismatched sizes. Because TF's cwise kernel assumes shape equality without validating it, the Eigen functor binds a reference to a null pointer and executes heap reads beyond allocated tensor memory. This leaks adjacent heap contents (model weights, auth tokens, neighboring tenant data on a multi-tenant cluster) and can be chained with heap grooming to achieve code execution on the training host, potentially escaping a containerized ML workload to compromise the underlying node.