CVE-2021-37660 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

This is a local denial-of-service vulnerability in TensorFlow's inplace operations caused by a logic error (|| vs &&) when handling empty tensors. No data exfiltration or code execution risk — impact is limited to crashing the TensorFlow process. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4; prioritize multi-tenant inference or training environments where untrusted users can submit workloads.

Risk Assessment

Low operational risk for most deployments. CVSS 5.5 (Medium) reflects local-only attack vector with no confidentiality or integrity impact — only availability. Exploitability is trivial once an attacker has local execution context, but gaining that context is the real barrier. Risk elevates in shared ML platforms (Jupyter hubs, ML-as-a-Service, MLOps pipelines) where multiple users can submit TensorFlow operations.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch immediately: upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4.
For multi-tenant ML platforms, enforce input validation and sandboxing to prevent untrusted code from executing arbitrary TF ops.
Implement process restart/watchdog for TF Serving instances to limit DoS impact.
Audit container images and dependencies for pinned vulnerable TF versions.
Detection: monitor for unexpected SIGFPE signals or process crashes in TensorFlow workloads as a possible exploitation indicator.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 17 - Quality management system — robustness and availability for high-risk AI

ISO 42001

A.6.2.5 - AI system reliability and availability

NIST AI RMF

GOVERN-1.4 - Organizational policies and practices for AI risk management include software and dependency vulnerability tracking MANAGE-2.2 - Mechanisms are in place to respond and recover from AI system failures and incidents

Frequently Asked Questions

What is CVE-2021-37660?

This is a local denial-of-service vulnerability in TensorFlow's inplace operations caused by a logic error (|| vs &&) when handling empty tensors. No data exfiltration or code execution risk — impact is limited to crashing the TensorFlow process. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4; prioritize multi-tenant inference or training environments where untrusted users can submit workloads.

Is CVE-2021-37660 actively exploited?

No confirmed active exploitation of CVE-2021-37660 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37660?

1. Patch immediately: upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4. 2. For multi-tenant ML platforms, enforce input validation and sandboxing to prevent untrusted code from executing arbitrary TF ops. 3. Implement process restart/watchdog for TF Serving instances to limit DoS impact. 4. Audit container images and dependencies for pinned vulnerable TF versions. 5. Detection: monitor for unexpected SIGFPE signals or process crashes in TensorFlow workloads as a possible exploitation indicator.

What systems are affected by CVE-2021-37660?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ml development environments.

What is the CVSS score for CVE-2021-37660?

CVE-2021-37660 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a floating point exception by calling inplace operations with crafted arguments that would result in a division by 0. The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/inplace_ops.cc#L283) has a logic error: it should skip processing if `x` and `v` are empty but the code uses `||` instead of `&&`. We have patched the issue in GitHub commit e86605c0a336c088b638da02135ea6f9f6753618. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML platform (e.g., a Jupyter notebook environment or a model training service) submits a crafted Python script that calls an inplace TensorFlow operation with two empty tensors as arguments. The logic error causes a division-by-zero floating point exception, crashing the TensorFlow process. In a multi-tenant training cluster, this disrupts co-located training jobs. In a production inference server processing user-submitted TF SavedModels, a malicious model embedding this operation pattern could trigger service crashes on load.