CVE-2021-37662: TensorFlow null deref

CISO Take

A local attacker with low-privilege access to a shared TensorFlow environment can trigger undefined behavior in BoostedTrees training operations, potentially escalating to arbitrary code execution. Shared ML training infrastructure (multi-tenant Jupyter hubs, GPU clusters) is the primary exposure surface. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately; restrict untrusted input to gradient-boosting training pipelines as a short-term control.

What is the risk?

CVSS 7.8 High but local attack vector reduces internet-exposed risk. The real threat is insider or lateral-movement scenarios on shared ML infrastructure — low complexity and no user interaction required make exploitation straightforward once local access is obtained. No evidence of active exploitation (not in CISA KEV). Risk is elevated in organizations running multi-tenant ML platforms or allowing data scientists to submit arbitrary training jobs.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch: upgrade to TensorFlow 2.6.0 or apply cherrypick commits (9c87c32c, 429f009d) to 2.5.x, 2.4.x, or 2.3.x.
Validate all inputs to BoostedTrees ops at the application layer before passing to TF kernels.
Run training workloads in isolated containers or VMs — do not share TF worker processes across trust boundaries.
Audit ML job submission pipelines for untrusted user-controlled inputs reaching gradient-boosting ops.
Monitor for unexpected TF worker crashes or SIGABRT signals as a detection signal.

How is it classified?

Code Execution DoS Framework Training Data AML.T0010.001 - AI Software AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security and vulnerability management

NIST AI RMF

MANAGE 2.2 - Mechanisms for managing AI risks are in place and regularly reviewed

OWASP LLM Top 10

LLM09 - Overreliance on Third-Party Dependencies

Frequently Asked Questions

What is CVE-2021-37662?

A local attacker with low-privilege access to a shared TensorFlow environment can trigger undefined behavior in BoostedTrees training operations, potentially escalating to arbitrary code execution. Shared ML training infrastructure (multi-tenant Jupyter hubs, GPU clusters) is the primary exposure surface. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately; restrict untrusted input to gradient-boosting training pipelines as a short-term control.

Is CVE-2021-37662 actively exploited?

No confirmed active exploitation of CVE-2021-37662 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37662?

1. Patch: upgrade to TensorFlow 2.6.0 or apply cherrypick commits (9c87c32c, 429f009d) to 2.5.x, 2.4.x, or 2.3.x. 2. Validate all inputs to BoostedTrees ops at the application layer before passing to TF kernels. 3. Run training workloads in isolated containers or VMs — do not share TF worker processes across trust boundaries. 4. Audit ML job submission pipelines for untrusted user-controlled inputs reaching gradient-boosting ops. 5. Monitor for unexpected TF worker crashes or SIGABRT signals as a detection signal.

What systems are affected by CVE-2021-37662?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving.

What is the CVSS score for CVE-2021-37662?

CVE-2021-37662 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0043 Craft Adversarial Data

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM09

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can generate undefined behavior via a reference binding to nullptr in `BoostedTreesCalculateBestGainsPerFeature` and similar attack can occur in `BoostedTreesCalculateBestFeatureSplitV2`. The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/stats_ops.cc) does not validate the input values. We have patched the issue in GitHub commit 9c87c32c710d0b5b53dc6fd3bfde4046e1f7a5ad and in commit 429f009d2b2c09028647dd4bb7b3f6f414bbaad7. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with shell access to a shared ML training server (e.g., a Jupyter notebook in a multi-tenant data science platform) submits a crafted training job that passes malformed feature data to `BoostedTreesCalculateBestGainsPerFeature`. The missing input validation causes a reference binding to nullptr, triggering undefined behavior in the TF kernel. Depending on allocator state, this can corrupt adjacent memory structures in the training process, potentially giving the attacker code execution under the service account running TF workers — often a privileged account with access to training data, model artifacts, and cloud credentials.