CVE-2021-37664 — HIGH (CVSS 7.1) AI Security Vulnerability

CISO Take

TensorFlow prior to 2.6.0 allows local low-privilege attackers to trigger a heap out-of-bounds read via crafted inputs to BoostedTrees operations, risking training data leakage from heap memory and DoS of training jobs. Patch to TF 2.6.0 or apply cherry-pick fixes for 2.3.4/2.4.3/2.5.1 immediately. Shared ML training infrastructure and multi-tenant data science platforms are the primary exposure surface.

Risk Assessment

Moderate risk in practice. The local attack vector limits exposure to insider threats, compromised developer credentials, or shared ML compute environments. In enterprises running multi-tenant GPU clusters or shared Jupyter/ML platforms, the low-privilege requirement means any authenticated user can trigger exploitation. The heap OOB read can leak adjacent memory allocations, potentially exposing fragments of training data or intermediate model state. Not in CISA KEV and no known active exploitation reduces urgency but patching remains straightforward.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.6.0+, or cherry-pick the patch (commit e84c975) on supported branches: 2.5.1, 2.4.3, 2.3.4.
Before patching, add server-side validation rejecting stats_summary_indices values outside expected range at any API boundary accepting BoostedTrees inputs.
Restrict write access to ML training infrastructure — enforce least privilege on shared GPU/ML servers.
Monitor training processes for anomalous SIGBUS/SIGSEGV crashes as potential exploitation indicators.
Audit current TF version inventory across all training environments, including containerized ML pipelines.

Classification

Data Extraction DoS Framework Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0029 - Denial of AI Service AML.T0037 - Data from Local System

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system design and implementation

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain and monitor AI risk treatments

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2021-37664?

TensorFlow prior to 2.6.0 allows local low-privilege attackers to trigger a heap out-of-bounds read via crafted inputs to BoostedTrees operations, risking training data leakage from heap memory and DoS of training jobs. Patch to TF 2.6.0 or apply cherry-pick fixes for 2.3.4/2.4.3/2.5.1 immediately. Shared ML training infrastructure and multi-tenant data science platforms are the primary exposure surface.

Is CVE-2021-37664 actively exploited?

No confirmed active exploitation of CVE-2021-37664 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37664?

1. Upgrade TensorFlow to 2.6.0+, or cherry-pick the patch (commit e84c975) on supported branches: 2.5.1, 2.4.3, 2.3.4. 2. Before patching, add server-side validation rejecting stats_summary_indices values outside expected range at any API boundary accepting BoostedTrees inputs. 3. Restrict write access to ML training infrastructure — enforce least privilege on shared GPU/ML servers. 4. Monitor training processes for anomalous SIGBUS/SIGSEGV crashes as potential exploitation indicators. 5. Audit current TF version inventory across all training environments, including containerized ML pipelines.

What systems are affected by CVE-2021-37664?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, shared ML infrastructure, model serving.

What is the CVSS score for CVE-2021-37664?

CVE-2021-37664 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to `BoostedTreesSparseCalculateBestFeatureSplit`. The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/stats_ops.cc) needs to validate that each value in `stats_summary_indices` is in range. We have patched the issue in GitHub commit e84c975313e8e8e38bb2ea118196369c45c51378. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An insider threat or attacker who has compromised a data scientist's credentials on a shared ML training server submits a crafted training job containing out-of-range values in stats_summary_indices. The OOB read either crashes the training process outright (DoS, destroying training progress) or, in a targeted scenario, leaks heap memory adjacent to training data structures — potentially exposing proprietary training datasets, feature engineering outputs, or intermediate gradient statistics from other users' concurrent jobs on the same server.