CVE-2021-37667 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

A low-privileged local attacker can trigger undefined behavior (null pointer dereference) in TensorFlow's UnicodeEncode op by passing an empty input_splits tensor, potentially leading to process crash or arbitrary code execution. In shared ML platforms—Jupyter hubs, Kubeflow, ML training infrastructure—any tenant with op execution access is a viable threat actor. Patch immediately to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4.

Risk Assessment

CVSS 7.8 High with local/low-complexity/low-privilege profile makes this a credible insider or lateral-movement vector in shared ML environments. Not in CISA KEV and no active exploitation evidence, reducing urgency for air-gapped or single-tenant deployments. However, multi-tenant ML platforms (shared notebooks, model training clusters) amplify risk significantly—any authenticated user becomes a potential attacker. NLP preprocessing pipelines that expose raw op access to user-controlled data are at highest risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 (cherry-picked fix in all supported branches).
Input validation: Add explicit shape/size validation on input_splits tensors before passing to UnicodeEncode—reject empty or zero-dimension tensors at application layer.
Least privilege: Restrict access to tf.raw_ops in multi-tenant environments; use TF's disable_eager_execution guards or op allowlisting where available.
Detection: Monitor for segfaults or abnormal process crashes in TF serving pods/containers—unexpected exits in inference services may indicate exploitation attempts.
Container isolation: Ensure TF processes run in isolated namespaces with no host-level privileges to limit blast radius.

Classification

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Management of AI system vulnerabilities

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI and manage risks

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37667?

A low-privileged local attacker can trigger undefined behavior (null pointer dereference) in TensorFlow's UnicodeEncode op by passing an empty input_splits tensor, potentially leading to process crash or arbitrary code execution. In shared ML platforms—Jupyter hubs, Kubeflow, ML training infrastructure—any tenant with op execution access is a viable threat actor. Patch immediately to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4.

Is CVE-2021-37667 actively exploited?

No confirmed active exploitation of CVE-2021-37667 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37667?

1. Patch: Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 (cherry-picked fix in all supported branches). 2. Input validation: Add explicit shape/size validation on input_splits tensors before passing to UnicodeEncode—reject empty or zero-dimension tensors at application layer. 3. Least privilege: Restrict access to tf.raw_ops in multi-tenant environments; use TF's disable_eager_execution guards or op allowlisting where available. 4. Detection: Monitor for segfaults or abnormal process crashes in TF serving pods/containers—unexpected exits in inference services may indicate exploitation attempts. 5. Container isolation: Ensure TF processes run in isolated namespaces with no host-level privileges to limit blast radius.

What systems are affected by CVE-2021-37667?

This vulnerability affects the following AI/ML architecture patterns: NLP training pipelines, model serving, shared ML platforms / multi-tenant notebooks, text preprocessing pipelines, inference infrastructure.

What is the CVSS score for CVE-2021-37667?

CVE-2021-37667 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.UnicodeEncode`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/unicode_ops.cc#L533-L539) reads the first dimension of the `input_splits` tensor before validating that this tensor is not empty. We have patched the issue in GitHub commit 2e0ee46f1a47675152d3d865797a18358881d7a6. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared Jupyter notebook environment or ML training platform submits a crafted tensor job: they call tf.raw_ops.UnicodeEncode with an empty input_splits tensor (shape [0]). The vulnerable code reads the first dimension before validating non-empty, binding a reference to a null pointer. In a process crash scenario this takes down the shared inference service (DoS). In a more sophisticated variant, the attacker crafts heap layout to redirect execution flow within the TF worker process, escalating to code execution under the service account running TensorFlow Serving—potentially gaining access to model weights, training data, or downstream ML pipeline credentials.