CVE-2021-37666 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Patch TensorFlow to 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately in shared ML environments. The vulnerability allows local attackers with minimal privileges to trigger undefined behavior—exploitable for privilege escalation on multi-tenant ML platforms (Jupyter hubs, MLOps pipelines). Isolated single-user training boxes carry lower risk but should still patch.

Risk Assessment

High severity (CVSS 7.8) with low attack complexity and no user interaction required. The local attack vector limits internet-scale exposure, but multi-tenant ML infrastructure—shared notebooks, model training clusters, GPU servers with multiple users—represents a realistic exploitation surface. No evidence of active exploitation or CISA KEV listing, but the low privilege requirement makes this accessible to any authenticated user on a shared system.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch

Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4. The fix is in commit be7a4de6.
Immediate workaround

Audit code for direct use of tf.raw_ops.RaggedTensorToVariant; add explicit empty-splits validation before calling the op.
Detection

Monitor for crashes/undefined behavior in TF processes; correlate with user-submitted model code on shared platforms.
Access control

On shared ML platforms, restrict the ability to submit arbitrary TF ops or custom model code pending patch deployment.
Inventory

Run pip show tensorflow across all ML nodes; flag any instance below patched versions.

Classification

Code Execution DoS Framework Training Data AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system risk assessment

NIST AI RMF

MANAGE 2.2 - Sustain value of deployed AI systems

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2021-37666?

Patch TensorFlow to 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately in shared ML environments. The vulnerability allows local attackers with minimal privileges to trigger undefined behavior—exploitable for privilege escalation on multi-tenant ML platforms (Jupyter hubs, MLOps pipelines). Isolated single-user training boxes carry lower risk but should still patch.

Is CVE-2021-37666 actively exploited?

No confirmed active exploitation of CVE-2021-37666 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37666?

1. **Patch**: Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4. The fix is in commit be7a4de6. 2. **Immediate workaround**: Audit code for direct use of `tf.raw_ops.RaggedTensorToVariant`; add explicit empty-splits validation before calling the op. 3. **Detection**: Monitor for crashes/undefined behavior in TF processes; correlate with user-submitted model code on shared platforms. 4. **Access control**: On shared ML platforms, restrict the ability to submit arbitrary TF ops or custom model code pending patch deployment. 5. **Inventory**: Run `pip show tensorflow` across all ML nodes; flag any instance below patched versions.

What systems are affected by CVE-2021-37666?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, shared ML platforms, model serving.

What is the CVSS score for CVE-2021-37666?

CVE-2021-37666 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.RaggedTensorToVariant`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/ragged_tensor_to_variant_op.cc#L129) has an incomplete validation of the splits values, missing the case when the argument would be empty. We have patched the issue in GitHub commit be7a4de6adfbd303ce08be4332554dff70362612. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with a low-privileged account on a shared Jupyter notebook server or MLOps training cluster submits a Python script that calls `tf.raw_ops.RaggedTensorToVariant` with an empty splits tensor. The missing validation causes a null pointer dereference, triggering undefined behavior in the TF kernel process. Depending on memory layout and OS protections, this can escalate to arbitrary code execution in the context of the TF worker—potentially allowing the attacker to pivot to other users' model weights, training data, or credentials stored in the shared environment.