AI Threat Alert AI Threat Alert

CVE-2021-37670: TensorFlow: heap OOB read in sorting ops

MEDIUM
Published August 12, 2021
CISO Take

TensorFlow versions prior to 2.6.0 allow an attacker with local execution access to read arbitrary heap memory by passing malformed arguments to UpperBound/LowerBound raw ops. Patch immediately to TF 2.6.0+ or the respective backport releases (2.5.1, 2.4.3, 2.3.4). If patching is delayed, restrict who can execute arbitrary TensorFlow operations in shared environments such as Jupyter notebooks or multi-tenant ML platforms.

Risk Assessment

Medium risk overall, but elevated in shared or multi-tenant ML environments. CVSS 5.5 with local attack vector and low privilege requirement means an attacker with any level of code execution on the ML host (e.g., data scientist on a shared notebook server) can exploit this. The primary concern is memory disclosure, which in ML environments may expose model weights, training data batches, or credentials cached in process memory. Not in CISA KEV and no evidence of active exploitation, but the low attack complexity makes it straightforward once local access is obtained.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

Recommended Action

6 steps

  1. Patch: Upgrade to TensorFlow 2.6.0, or apply backports 2.5.1, 2.4.3, or 2.3.4 per your supported branch.

  2. Verify version: pip show tensorflow or import tensorflow as tf; print(tf.__version__) across all environments.

  3. Restrict raw ops: If upgrade is not immediately possible, disable or sandbox access to tf.raw_ops in shared environments using process isolation or container-level controls.

  4. Audit notebook servers: Any multi-user JupyterHub or shared training cluster running affected TF versions should be treated as compromised until patched.

  5. Detection: Log and alert on execution of tf.raw_ops.UpperBound or tf.raw_ops.LowerBound with unusual input shapes; crashes or memory errors in TF workloads may indicate probing.

  6. Container hardening: Ensure ML workloads run with seccomp/AppArmor profiles limiting memory introspection capabilities.

Classification

Data Extraction Supply Chain Framework Training Data AML.T0010.001 AML.T0025 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security and data protection
NIST AI RMF
GOVERN 1.1 - Policies and processes for AI risk management MANAGE 2.2 - Mechanisms to sustain deployment are monitored

Frequently Asked Questions

What is CVE-2021-37670?

TensorFlow versions prior to 2.6.0 allow an attacker with local execution access to read arbitrary heap memory by passing malformed arguments to UpperBound/LowerBound raw ops. Patch immediately to TF 2.6.0+ or the respective backport releases (2.5.1, 2.4.3, 2.3.4). If patching is delayed, restrict who can execute arbitrary TensorFlow operations in shared environments such as Jupyter notebooks or multi-tenant ML platforms.

Is CVE-2021-37670 actively exploited?

No confirmed active exploitation of CVE-2021-37670 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37670?

1. Patch: Upgrade to TensorFlow 2.6.0, or apply backports 2.5.1, 2.4.3, or 2.3.4 per your supported branch. 2. Verify version: `pip show tensorflow` or `import tensorflow as tf; print(tf.__version__)` across all environments. 3. Restrict raw ops: If upgrade is not immediately possible, disable or sandbox access to `tf.raw_ops` in shared environments using process isolation or container-level controls. 4. Audit notebook servers: Any multi-user JupyterHub or shared training cluster running affected TF versions should be treated as compromised until patched. 5. Detection: Log and alert on execution of `tf.raw_ops.UpperBound` or `tf.raw_ops.LowerBound` with unusual input shapes; crashes or memory errors in TF workloads may indicate probing. 6. Container hardening: Ensure ML workloads run with seccomp/AppArmor profiles limiting memory introspection capabilities.

What systems are affected by CVE-2021-37670?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared notebook environments.

What is the CVSS score for CVE-2021-37670?

CVE-2021-37670 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to `tf.raw_ops.UpperBound`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/searchsorted_op.cc#L85-L104) does not validate the rank of `sorted_input` argument. A similar issue occurs in `tf.raw_ops.LowerBound`. We have patched the issue in GitHub commit 42459e4273c2e47a3232cc16c4f4fff3b3a35c38. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML training server (e.g., a rogue data scientist, compromised CI/CD pipeline, or malicious notebook) crafts a TensorFlow script calling `tf.raw_ops.UpperBound` with a `sorted_input` tensor of unexpected rank. Because the implementation skips rank validation, the operation proceeds past array bounds into adjacent heap memory. The attacker iterates over different input shapes and sizes to map out memory regions, potentially recovering other users' training data batches, feature tensors, or secrets stored in environment variables by co-located processes. In a multi-tenant GPU cluster where multiple training jobs share memory-mapped regions, the blast radius extends to data belonging to other tenants.

Weaknesses (CWE)

CWE-125

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed