CVE-2021-37670: TensorFlow heap OOB read

CISO Take

TensorFlow versions prior to 2.6.0 allow an attacker with local execution access to read arbitrary heap memory by passing malformed arguments to UpperBound/LowerBound raw ops. Patch immediately to TF 2.6.0+ or the respective backport releases (2.5.1, 2.4.3, 2.3.4). If patching is delayed, restrict who can execute arbitrary TensorFlow operations in shared environments such as Jupyter notebooks or multi-tenant ML platforms.

What is the risk?

Medium risk overall, but elevated in shared or multi-tenant ML environments. CVSS 5.5 with local attack vector and low privilege requirement means an attacker with any level of code execution on the ML host (e.g., data scientist on a shared notebook server) can exploit this. The primary concern is memory disclosure, which in ML environments may expose model weights, training data batches, or credentials cached in process memory. Not in CISA KEV and no evidence of active exploitation, but the low attack complexity makes it straightforward once local access is obtained.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 6% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

Patch: Upgrade to TensorFlow 2.6.0, or apply backports 2.5.1, 2.4.3, or 2.3.4 per your supported branch.
Verify version: pip show tensorflow or import tensorflow as tf; print(tf.__version__) across all environments.
Restrict raw ops: If upgrade is not immediately possible, disable or sandbox access to tf.raw_ops in shared environments using process isolation or container-level controls.
Audit notebook servers: Any multi-user JupyterHub or shared training cluster running affected TF versions should be treated as compromised until patched.
Detection: Log and alert on execution of tf.raw_ops.UpperBound or tf.raw_ops.LowerBound with unusual input shapes; crashes or memory errors in TF workloads may indicate probing.
Container hardening: Ensure ML workloads run with seccomp/AppArmor profiles limiting memory introspection capabilities.

How is it classified?

Data Extraction Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security and data protection

NIST AI RMF

GOVERN 1.1 - Policies and processes for AI risk management MANAGE 2.2 - Mechanisms to sustain deployment are monitored

Frequently Asked Questions

What is CVE-2021-37670?

TensorFlow versions prior to 2.6.0 allow an attacker with local execution access to read arbitrary heap memory by passing malformed arguments to UpperBound/LowerBound raw ops. Patch immediately to TF 2.6.0+ or the respective backport releases (2.5.1, 2.4.3, 2.3.4). If patching is delayed, restrict who can execute arbitrary TensorFlow operations in shared environments such as Jupyter notebooks or multi-tenant ML platforms.

Is CVE-2021-37670 actively exploited?

No confirmed active exploitation of CVE-2021-37670 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37670?

1. Patch: Upgrade to TensorFlow 2.6.0, or apply backports 2.5.1, 2.4.3, or 2.3.4 per your supported branch. 2. Verify version: `pip show tensorflow` or `import tensorflow as tf; print(tf.__version__)` across all environments. 3. Restrict raw ops: If upgrade is not immediately possible, disable or sandbox access to `tf.raw_ops` in shared environments using process isolation or container-level controls. 4. Audit notebook servers: Any multi-user JupyterHub or shared training cluster running affected TF versions should be treated as compromised until patched. 5. Detection: Log and alert on execution of `tf.raw_ops.UpperBound` or `tf.raw_ops.LowerBound` with unusual input shapes; crashes or memory errors in TF workloads may indicate probing. 6. Container hardening: Ensure ML workloads run with seccomp/AppArmor profiles limiting memory introspection capabilities.

What systems are affected by CVE-2021-37670?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared notebook environments.

What is the CVSS score for CVE-2021-37670?

CVE-2021-37670 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingshared notebook environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 1.1, MANAGE 2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to `tf.raw_ops.UpperBound`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/searchsorted_op.cc#L85-L104) does not validate the rank of `sorted_input` argument. A similar issue occurs in `tf.raw_ops.LowerBound`. We have patched the issue in GitHub commit 42459e4273c2e47a3232cc16c4f4fff3b3a35c38. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML training server (e.g., a rogue data scientist, compromised CI/CD pipeline, or malicious notebook) crafts a TensorFlow script calling `tf.raw_ops.UpperBound` with a `sorted_input` tensor of unexpected rank. Because the implementation skips rank validation, the operation proceeds past array bounds into adjacent heap memory. The attacker iterates over different input shapes and sizes to map out memory regions, potentially recovering other users' training data batches, feature tensors, or secrets stored in environment variables by co-located processes. In a multi-tenant GPU cluster where multiple training jobs share memory-mapped regions, the blast radius extends to data belonging to other tenants.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.