CVE-2021-37673 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker can crash TensorFlow processes by passing an empty key tensor to tf.raw_ops.MapStage, disrupting training jobs and inference services. Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately if running affected versions. Risk is elevated in shared or multi-tenant ML platforms where untrusted users can submit workloads.

Risk Assessment

Medium risk overall, but contextually higher in multi-tenant ML environments. CVSS 5.5 reflects local access requirement, which limits broad exploitation. However, low attack complexity means any authenticated user in a shared Jupyter/Kubeflow/ML platform can trivially trigger it. No confidentiality or integrity impact — pure availability disruption. Not in CISA KEV and no known active exploitation in the wild as of patch date.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 (all contain commit d7de677).
Workaround: If immediate upgrade is not possible, add input validation to reject empty or zero-dimensional tensors before passing to MapStage.
Isolation: Restrict access to raw TF op execution in multi-tenant environments via resource quotas and sandboxing (e.g., gVisor for Kubernetes ML workloads).
Detection: Monitor for unexpected TF process crashes or CHECK-failure stack traces in application logs containing 'map_stage_op.cc'.
Audit: Inventory all TensorFlow versions in use across training and serving infrastructure.

Classification

DoS Framework Training Data Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.9.7 - AI system availability and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain value of deployed AI systems

OWASP LLM Top 10

LLM09:2025 - Misinformation / System Availability

Frequently Asked Questions

What is CVE-2021-37673?

A local attacker can crash TensorFlow processes by passing an empty key tensor to tf.raw_ops.MapStage, disrupting training jobs and inference services. Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately if running affected versions. Risk is elevated in shared or multi-tenant ML platforms where untrusted users can submit workloads.

Is CVE-2021-37673 actively exploited?

No confirmed active exploitation of CVE-2021-37673 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37673?

1. Patch: Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 (all contain commit d7de677). 2. Workaround: If immediate upgrade is not possible, add input validation to reject empty or zero-dimensional tensors before passing to MapStage. 3. Isolation: Restrict access to raw TF op execution in multi-tenant environments via resource quotas and sandboxing (e.g., gVisor for Kubernetes ML workloads). 4. Detection: Monitor for unexpected TF process crashes or CHECK-failure stack traces in application logs containing 'map_stage_op.cc'. 5. Audit: Inventory all TensorFlow versions in use across training and serving infrastructure.

What systems are affected by CVE-2021-37673?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, distributed training.

What is the CVSS score for CVE-2021-37673?

CVE-2021-37673 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.MapStage`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/map_stage_op.cc#L513) does not check that the `key` input is a valid non-empty tensor. We have patched the issue in GitHub commit d7de67733925de196ec8863a33445b73f9562d1d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with local access to a shared ML platform (e.g., a Jupyter notebook environment or Kubeflow pipeline runner) imports TensorFlow and calls tf.raw_ops.MapStage with a zero-element or empty key tensor. TensorFlow's internal CHECK assertion fires, raising an unhandled C++ exception that terminates the TF runtime process. In a multi-user training cluster, this disrupts co-located training jobs and may trigger cascading failures in distributed training coordination. The exploit requires no special knowledge — a one-liner is sufficient once the attacker knows the target runs a vulnerable TF version.