AI Threat Alert AI Threat Alert

CVE-2021-37675: TensorFlow: DoS via division by zero in conv ops

MEDIUM PoC AVAILABLE
Published August 12, 2021
CISO Take

A local attacker with low privileges can crash any TensorFlow process by submitting tensors with crafted shapes to convolution operators, causing a division-by-zero in shape inference. In multi-tenant ML serving environments or shared training clusters, this is a denial-of-service risk to model availability. Patch immediately to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 and enforce input shape validation at API boundaries.

Risk Assessment

Medium risk overall, but elevated in production ML serving contexts. The local attack vector and low privilege requirement mean an attacker needs either direct system access or the ability to influence model inputs (e.g., via a serving API). The crash is deterministic and trivially reproducible — no ML expertise required. Impact is limited to availability (no data exfiltration or integrity compromise). Not in CISA KEV and no public exploitation evidence as of knowledge cutoff.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Patch: Upgrade to TensorFlow 2.6.0 (or cherry-picked fixes: 2.5.1, 2.4.3, 2.3.4). Commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4 is the authoritative fix.

  2. Input validation: Enforce strict tensor shape validation at all serving API entry points before shapes reach TF kernels. Reject zero-dimension or otherwise invalid shapes at the application layer.

  3. Isolation: Run TensorFlow inference workers in isolated processes with watchdog restart — this limits DoS impact to a single worker rather than the entire serving fleet.

  4. Detection: Monitor for abnormal process crash rates in ML serving infra; a spike of shape-related crashes may indicate probing or active exploitation.

  5. Inventory: Audit all internal services using TF convolution ops (tf.nn.conv*, tf.keras.layers.Conv*) and prioritize patching for those with external-facing inputs.

Classification

DoS Framework Inference AML.T0029 AML.T0043 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - AI system verification and validation
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and to address residual risk
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-37675?

A local attacker with low privileges can crash any TensorFlow process by submitting tensors with crafted shapes to convolution operators, causing a division-by-zero in shape inference. In multi-tenant ML serving environments or shared training clusters, this is a denial-of-service risk to model availability. Patch immediately to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 and enforce input shape validation at API boundaries.

Is CVE-2021-37675 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-37675, increasing the risk of exploitation.

How to fix CVE-2021-37675?

1. Patch: Upgrade to TensorFlow 2.6.0 (or cherry-picked fixes: 2.5.1, 2.4.3, 2.3.4). Commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4 is the authoritative fix. 2. Input validation: Enforce strict tensor shape validation at all serving API entry points before shapes reach TF kernels. Reject zero-dimension or otherwise invalid shapes at the application layer. 3. Isolation: Run TensorFlow inference workers in isolated processes with watchdog restart — this limits DoS impact to a single worker rather than the entire serving fleet. 4. Detection: Monitor for abnormal process crash rates in ML serving infra; a spike of shape-related crashes may indicate probing or active exploitation. 5. Inventory: Audit all internal services using TF convolution ops (tf.nn.conv*, tf.keras.layers.Conv*) and prioritize patching for those with external-facing inputs.

What systems are affected by CVE-2021-37675?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference.

What is the CVSS score for CVE-2021-37675?

CVE-2021-37675 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/framework/common_shape_fns.cc#L577) is missing several validations before doing divisions and modulo operations. We have patched the issue in GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a model serving endpoint (e.g., a TensorFlow Serving REST API or a custom Flask/FastAPI wrapper) submits an inference request containing a tensor with invalid spatial dimensions — for example, a 2D image tensor with zero height or width. TensorFlow's shape inference code for convolution operators performs division/modulo operations on these dimensions without prior validation, triggering a division-by-zero that crashes the serving process. In a shared GPU cluster or containerized serving environment, a malicious tenant or compromised upstream data pipeline could repeatedly trigger this crash to deny service to legitimate users. No GPU or ML expertise required — attacker only needs to know the model accepts convolution inputs.

Weaknesses (CWE)

CWE-369

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed