AI Threat Alert

CVE-2021-37675: TensorFlow: DoS via division by zero in conv ops

MEDIUM PoC AVAILABLE
Published August 12, 2021
CISO Take

A local attacker with low privileges can crash any TensorFlow process by submitting tensors with crafted shapes to convolution operators, causing a division-by-zero in shape inference. In multi-tenant ML serving environments or shared training clusters, this is a denial-of-service risk to model availability. Patch immediately to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 and enforce input shape validation at API boundaries.

What is the risk?

Medium risk overall, but elevated in production ML serving contexts. The local attack vector and low privilege requirement mean an attacker needs either direct system access or the ability to influence model inputs (e.g., via a serving API). The crash is deterministic and trivially reproducible — no ML expertise required. Impact is limited to availability (no data exfiltration or integrity compromise). Not in CISA KEV and no public exploitation evidence as of knowledge cutoff.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 5% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.6.0 (or cherry-picked fixes: 2.5.1, 2.4.3, 2.3.4). Commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4 is the authoritative fix.

  2. Input validation: Enforce strict tensor shape validation at all serving API entry points before shapes reach TF kernels. Reject zero-dimension or otherwise invalid shapes at the application layer.

  3. Isolation: Run TensorFlow inference workers in isolated processes with watchdog restart — this limits DoS impact to a single worker rather than the entire serving fleet.

  4. Detection: Monitor for abnormal process crash rates in ML serving infra; a spike of shape-related crashes may indicate probing or active exploitation.

  5. Inventory: Audit all internal services using TF convolution ops (tf.nn.conv*, tf.keras.layers.Conv*) and prioritize patching for those with external-facing inputs.

How is it classified?

DoS Framework Inference AML.T0029 AML.T0043 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - AI system verification and validation
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and to address residual risk
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-37675?

A local attacker with low privileges can crash any TensorFlow process by submitting tensors with crafted shapes to convolution operators, causing a division-by-zero in shape inference. In multi-tenant ML serving environments or shared training clusters, this is a denial-of-service risk to model availability. Patch immediately to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 and enforce input shape validation at API boundaries.

Is CVE-2021-37675 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-37675, increasing the risk of exploitation.

How to fix CVE-2021-37675?

1. Patch: Upgrade to TensorFlow 2.6.0 (or cherry-picked fixes: 2.5.1, 2.4.3, 2.3.4). Commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4 is the authoritative fix. 2. Input validation: Enforce strict tensor shape validation at all serving API entry points before shapes reach TF kernels. Reject zero-dimension or otherwise invalid shapes at the application layer. 3. Isolation: Run TensorFlow inference workers in isolated processes with watchdog restart — this limits DoS impact to a single worker rather than the entire serving fleet. 4. Detection: Monitor for abnormal process crash rates in ML serving infra; a spike of shape-related crashes may indicate probing or active exploitation. 5. Inventory: Audit all internal services using TF convolution ops (tf.nn.conv*, tf.keras.layers.Conv*) and prioritize patching for those with external-facing inputs.

What systems are affected by CVE-2021-37675?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference.

What is the CVSS score for CVE-2021-37675?

CVE-2021-37675 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.16%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0043 Craft Adversarial Data
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a model serving endpoint (e.g., a TensorFlow Serving REST API or a custom Flask/FastAPI wrapper) submits an inference request containing a tensor with invalid spatial dimensions — for example, a 2D image tensor with zero height or width. TensorFlow's shape inference code for convolution operators performs division/modulo operations on these dimensions without prior validation, triggering a division-by-zero that crashes the serving process. In a shared GPU cluster or containerized serving environment, a malicious tenant or compromised upstream data pipeline could repeatedly trigger this crash to deny service to legitimate users. No GPU or ML expertise required — attacker only needs to know the model accepts convolution inputs.

Weaknesses (CWE)

CWE-369 Divide By Zero

CWE-369 — Divide By Zero: The product divides a value by zero.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed