AI Threat Alert AI Threat Alert

CVE-2021-37671: TensorFlow: null-ptr deref in Map ops, local C/I/A:High

HIGH
Published August 12, 2021
CISO Take

TensorFlow versions prior to 2.6.0 allow a low-privilege local attacker to trigger undefined behavior via empty `indices` in Map/OrderedMap raw ops, with confidentiality, integrity, and availability impact. Patch immediately to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4—multi-tenant ML platforms (shared Jupyter, cloud notebooks, CI/CD training jobs) are the highest-risk deployment patterns. No known active exploitation, but the low attack complexity makes this straightforward to trigger once an attacker has local access.

Risk Assessment

CVSS 7.8 High with local attack vector, low complexity, and low privileges required. The local-only vector reduces internet-facing exposure but is highly relevant in multi-tenant ML infrastructure where untrusted users submit TensorFlow jobs. Undefined behavior (CWE-824) typically signals potential for memory corruption beyond a simple crash—treat as possible code execution vector until proven otherwise. Not in CISA KEV and predates widespread exploitation of ML library CVEs, but the trivial exploitability warrants prompt patching.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 11% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.6.0 (preferred), or backport patches to 2.5.1, 2.4.3, or 2.3.4 per GitHub commit 532f5c5a.

  2. DETECT

    Audit usage of tf.raw_ops.Map, tf.raw_ops.MapStage, tf.raw_ops.OrderedMapStage, and related ops in production code and notebooks.

  3. VALIDATE

    Add input validation to reject empty indices arrays before passing to Map ops—this is also a valid defense-in-depth measure post-patch.

  4. ISOLATE

    In multi-tenant environments, sandbox TensorFlow job execution (containers, VMs) to contain blast radius.

  5. INVENTORY

    Run pip show tensorflow across all ML hosts; flag anything below 2.3.4.

Classification

DoS Code Execution Framework Training Data Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
6.1 - Actions to address risks and opportunities A.8.2 - AI system operation
NIST AI RMF
GOVERN 1.7 - Processes and procedures are in place for decommissioning and phasing out AI systems safely MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

Frequently Asked Questions

What is CVE-2021-37671?

TensorFlow versions prior to 2.6.0 allow a low-privilege local attacker to trigger undefined behavior via empty `indices` in Map/OrderedMap raw ops, with confidentiality, integrity, and availability impact. Patch immediately to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4—multi-tenant ML platforms (shared Jupyter, cloud notebooks, CI/CD training jobs) are the highest-risk deployment patterns. No known active exploitation, but the low attack complexity makes this straightforward to trigger once an attacker has local access.

Is CVE-2021-37671 actively exploited?

No confirmed active exploitation of CVE-2021-37671 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37671?

1. PATCH: Upgrade to TensorFlow 2.6.0 (preferred), or backport patches to 2.5.1, 2.4.3, or 2.3.4 per GitHub commit 532f5c5a. 2. DETECT: Audit usage of `tf.raw_ops.Map`, `tf.raw_ops.MapStage`, `tf.raw_ops.OrderedMapStage`, and related ops in production code and notebooks. 3. VALIDATE: Add input validation to reject empty `indices` arrays before passing to Map ops—this is also a valid defense-in-depth measure post-patch. 4. ISOLATE: In multi-tenant environments, sandbox TensorFlow job execution (containers, VMs) to contain blast radius. 5. INVENTORY: Run `pip show tensorflow` across all ML hosts; flag anything below 2.3.4.

What systems are affected by CVE-2021-37671?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML notebooks, batch inference, multi-tenant ML platforms.

What is the CVSS score for CVE-2021-37671?

CVE-2021-37671 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.Map*` and `tf.raw_ops.OrderedMap*` operations. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/map_stage_op.cc#L222-L248) has a check in place to ensure that `indices` is in ascending order, but does not check that `indices` is not empty. We have patched the issue in GitHub commit 532f5c5a547126c634fefd43bbad1dc6417678ac. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An insider threat or compromised low-privilege account on a shared ML platform (e.g., data scientist access to a Kubeflow notebook server) crafts a TensorFlow script that calls `tf.raw_ops.MapStage` or `tf.raw_ops.OrderedMapStage` with an empty `indices` tensor. The missing bounds check dereferences a null pointer, triggering undefined behavior. On a training cluster, this crashes the training job process—potentially disrupting long-running model training or corrupting checkpoints. On a model serving endpoint that exposes raw TF op execution, this becomes a remote denial-of-service. A more sophisticated attacker studying the memory layout could attempt to turn the null dereference into a controlled write primitive for code execution.

Weaknesses (CWE)

CWE-824

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed