CVE-2021-37662 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

A local attacker with low-privilege access to a shared TensorFlow environment can trigger undefined behavior in BoostedTrees training operations, potentially escalating to arbitrary code execution. Shared ML training infrastructure (multi-tenant Jupyter hubs, GPU clusters) is the primary exposure surface. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately; restrict untrusted input to gradient-boosting training pipelines as a short-term control.

Risk Assessment

CVSS 7.8 High but local attack vector reduces internet-exposed risk. The real threat is insider or lateral-movement scenarios on shared ML infrastructure — low complexity and no user interaction required make exploitation straightforward once local access is obtained. No evidence of active exploitation (not in CISA KEV). Risk is elevated in organizations running multi-tenant ML platforms or allowing data scientists to submit arbitrary training jobs.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: upgrade to TensorFlow 2.6.0 or apply cherrypick commits (9c87c32c, 429f009d) to 2.5.x, 2.4.x, or 2.3.x.
Validate all inputs to BoostedTrees ops at the application layer before passing to TF kernels.
Run training workloads in isolated containers or VMs — do not share TF worker processes across trust boundaries.
Audit ML job submission pipelines for untrusted user-controlled inputs reaching gradient-boosting ops.
Monitor for unexpected TF worker crashes or SIGABRT signals as a detection signal.

Classification

Code Execution DoS Framework Training Data AML.T0010.001 - AI Software AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security and vulnerability management

NIST AI RMF

MANAGE 2.2 - Mechanisms for managing AI risks are in place and regularly reviewed

OWASP LLM Top 10

LLM09 - Overreliance on Third-Party Dependencies

Frequently Asked Questions

What is CVE-2021-37662?

A local attacker with low-privilege access to a shared TensorFlow environment can trigger undefined behavior in BoostedTrees training operations, potentially escalating to arbitrary code execution. Shared ML training infrastructure (multi-tenant Jupyter hubs, GPU clusters) is the primary exposure surface. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately; restrict untrusted input to gradient-boosting training pipelines as a short-term control.

Is CVE-2021-37662 actively exploited?

No confirmed active exploitation of CVE-2021-37662 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37662?

1. Patch: upgrade to TensorFlow 2.6.0 or apply cherrypick commits (9c87c32c, 429f009d) to 2.5.x, 2.4.x, or 2.3.x. 2. Validate all inputs to BoostedTrees ops at the application layer before passing to TF kernels. 3. Run training workloads in isolated containers or VMs — do not share TF worker processes across trust boundaries. 4. Audit ML job submission pipelines for untrusted user-controlled inputs reaching gradient-boosting ops. 5. Monitor for unexpected TF worker crashes or SIGABRT signals as a detection signal.

What systems are affected by CVE-2021-37662?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving.

What is the CVSS score for CVE-2021-37662?

CVE-2021-37662 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.11%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can generate undefined behavior via a reference binding to nullptr in `BoostedTreesCalculateBestGainsPerFeature` and similar attack can occur in `BoostedTreesCalculateBestFeatureSplitV2`. The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/stats_ops.cc) does not validate the input values. We have patched the issue in GitHub commit 9c87c32c710d0b5b53dc6fd3bfde4046e1f7a5ad and in commit 429f009d2b2c09028647dd4bb7b3f6f414bbaad7. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with shell access to a shared ML training server (e.g., a Jupyter notebook in a multi-tenant data science platform) submits a crafted training job that passes malformed feature data to `BoostedTreesCalculateBestGainsPerFeature`. The missing input validation causes a reference binding to nullptr, triggering undefined behavior in the TF kernel. Depending on allocator state, this can corrupt adjacent memory structures in the training process, potentially giving the attacker code execution under the service account running TF workers — often a privileged account with access to training data, model artifacts, and cloud credentials.