CVE-2021-37666: TensorFlow null-ptr deref

CISO Take

Patch TensorFlow to 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately in shared ML environments. The vulnerability allows local attackers with minimal privileges to trigger undefined behavior—exploitable for privilege escalation on multi-tenant ML platforms (Jupyter hubs, MLOps pipelines). Isolated single-user training boxes carry lower risk but should still patch.

What is the risk?

High severity (CVSS 7.8) with low attack complexity and no user interaction required. The local attack vector limits internet-scale exposure, but multi-tenant ML infrastructure—shared notebooks, model training clusters, GPU servers with multiple users—represents a realistic exploitation surface. No evidence of active exploitation or CISA KEV listing, but the low privilege requirement makes this accessible to any authenticated user on a shared system.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch

Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4. The fix is in commit be7a4de6.
Immediate workaround

Audit code for direct use of tf.raw_ops.RaggedTensorToVariant; add explicit empty-splits validation before calling the op.
Detection

Monitor for crashes/undefined behavior in TF processes; correlate with user-submitted model code on shared platforms.
Access control

On shared ML platforms, restrict the ability to submit arbitrary TF ops or custom model code pending patch deployment.
Inventory

Run pip show tensorflow across all ML nodes; flag any instance below patched versions.

How is it classified?

Code Execution DoS Framework Training Data AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system risk assessment

NIST AI RMF

MANAGE 2.2 - Sustain value of deployed AI systems

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2021-37666?

Patch TensorFlow to 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately in shared ML environments. The vulnerability allows local attackers with minimal privileges to trigger undefined behavior—exploitable for privilege escalation on multi-tenant ML platforms (Jupyter hubs, MLOps pipelines). Isolated single-user training boxes carry lower risk but should still patch.

Is CVE-2021-37666 actively exploited?

No confirmed active exploitation of CVE-2021-37666 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37666?

1. **Patch**: Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4. The fix is in commit be7a4de6. 2. **Immediate workaround**: Audit code for direct use of `tf.raw_ops.RaggedTensorToVariant`; add explicit empty-splits validation before calling the op. 3. **Detection**: Monitor for crashes/undefined behavior in TF processes; correlate with user-submitted model code on shared platforms. 4. **Access control**: On shared ML platforms, restrict the ability to submit arbitrary TF ops or custom model code pending patch deployment. 5. **Inventory**: Run `pip show tensorflow` across all ML nodes; flag any instance below patched versions.

What systems are affected by CVE-2021-37666?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, shared ML platforms, model serving.

What is the CVSS score for CVE-2021-37666?

CVE-2021-37666 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

training pipelinesshared ML platformsmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.RaggedTensorToVariant`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/ragged_tensor_to_variant_op.cc#L129) has an incomplete validation of the splits values, missing the case when the argument would be empty. We have patched the issue in GitHub commit be7a4de6adfbd303ce08be4332554dff70362612. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with a low-privileged account on a shared Jupyter notebook server or MLOps training cluster submits a Python script that calls `tf.raw_ops.RaggedTensorToVariant` with an empty splits tensor. The missing validation causes a null pointer dereference, triggering undefined behavior in the TF kernel process. Depending on memory layout and OS protections, this can escalate to arbitrary code execution in the context of the TF worker—potentially allowing the attacker to pivot to other users' model weights, training data, or credentials stored in the shared environment.