CVE-2021-37660: TensorFlow DoS via divide-by-zero

CISO Take

This is a local denial-of-service vulnerability in TensorFlow's inplace operations caused by a logic error (|| vs &&) when handling empty tensors. No data exfiltration or code execution risk — impact is limited to crashing the TensorFlow process. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4; prioritize multi-tenant inference or training environments where untrusted users can submit workloads.

What is the risk?

Low operational risk for most deployments. CVSS 5.5 (Medium) reflects local-only attack vector with no confidentiality or integrity impact — only availability. Exploitability is trivial once an attacker has local execution context, but gaining that context is the real barrier. Risk elevates in shared ML platforms (Jupyter hubs, ML-as-a-Service, MLOps pipelines) where multiple users can submit TensorFlow operations.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch immediately: upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4.
For multi-tenant ML platforms, enforce input validation and sandboxing to prevent untrusted code from executing arbitrary TF ops.
Implement process restart/watchdog for TF Serving instances to limit DoS impact.
Audit container images and dependencies for pinned vulnerable TF versions.
Detection: monitor for unexpected SIGFPE signals or process crashes in TensorFlow workloads as a possible exploitation indicator.

How is it classified?

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 17 - Quality management system — robustness and availability for high-risk AI

ISO 42001

A.6.2.5 - AI system reliability and availability

NIST AI RMF

GOVERN-1.4 - Organizational policies and practices for AI risk management include software and dependency vulnerability tracking MANAGE-2.2 - Mechanisms are in place to respond and recover from AI system failures and incidents

Frequently Asked Questions

What is CVE-2021-37660?

This is a local denial-of-service vulnerability in TensorFlow's inplace operations caused by a logic error (|| vs &&) when handling empty tensors. No data exfiltration or code execution risk — impact is limited to crashing the TensorFlow process. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4; prioritize multi-tenant inference or training environments where untrusted users can submit workloads.

Is CVE-2021-37660 actively exploited?

No confirmed active exploitation of CVE-2021-37660 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37660?

1. Patch immediately: upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4. 2. For multi-tenant ML platforms, enforce input validation and sandboxing to prevent untrusted code from executing arbitrary TF ops. 3. Implement process restart/watchdog for TF Serving instances to limit DoS impact. 4. Audit container images and dependencies for pinned vulnerable TF versions. 5. Detection: monitor for unexpected SIGFPE signals or process crashes in TensorFlow workloads as a possible exploitation indicator.

What systems are affected by CVE-2021-37660?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ml development environments.

What is the CVSS score for CVE-2021-37660?

CVE-2021-37660 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.15%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingml development environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 17

ISO 42001: A.6.2.5

NIST AI RMF: GOVERN-1.4, MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a floating point exception by calling inplace operations with crafted arguments that would result in a division by 0. The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/inplace_ops.cc#L283) has a logic error: it should skip processing if `x` and `v` are empty but the code uses `||` instead of `&&`. We have patched the issue in GitHub commit e86605c0a336c088b638da02135ea6f9f6753618. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML platform (e.g., a Jupyter notebook environment or a model training service) submits a crafted Python script that calls an inplace TensorFlow operation with two empty tensors as arguments. The logic error causes a division-by-zero floating point exception, crashing the TensorFlow process. In a multi-tenant training cluster, this disrupts co-located training jobs. In a production inference server processing user-submitted TF SavedModels, a malicious model embedding this operation pattern could trigger service crashes on load.