CVE-2021-37676 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

A local attacker with low privileges can trigger undefined behavior (null pointer dereference) in TensorFlow's SparseFillEmptyRows op by passing empty tensors, potentially crashing training jobs or inference servers. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately—the fix is available and backported across all supported branches. Priority is elevated in shared ML compute environments (e.g., Jupyter hubs, model serving clusters) where multiple users or processes have local access.

Risk Assessment

Risk is HIGH in multi-tenant or shared ML infrastructure where untrusted users can submit jobs or invoke ops directly. The local attack vector and low privilege requirement make this realistic for any environment where data scientists or external users have shell access or notebook execution rights. Not in CISA KEV and no evidence of active exploitation, which reduces urgency slightly, but the low complexity and broad TF install base in enterprise ML pipelines keep this as a priority patch item.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow >= 2.6.0, or apply backports 2.5.1, 2.4.3, 2.3.4.
DETECT

Audit TF version across all ML workloads—'pip show tensorflow' or check container base images.
WORKAROUND (if patching is blocked): Add input validation to reject empty tensors before passing to SparseFillEmptyRows ops.
HARDEN

Restrict direct TF op invocation to trusted users; do not expose raw TF op APIs to untrusted inputs.
MONITOR

Alert on TF process crashes or unexpected OOM errors in training/serving jobs as potential exploitation indicators.

Classification

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system for high-risk AI

ISO 42001

A.6.2.6 - AI system component security

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk governance MANAGE 2.2 - Risk treatments including response and recovery plans

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37676?

A local attacker with low privileges can trigger undefined behavior (null pointer dereference) in TensorFlow's SparseFillEmptyRows op by passing empty tensors, potentially crashing training jobs or inference servers. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately—the fix is available and backported across all supported branches. Priority is elevated in shared ML compute environments (e.g., Jupyter hubs, model serving clusters) where multiple users or processes have local access.

Is CVE-2021-37676 actively exploited?

No confirmed active exploitation of CVE-2021-37676 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37676?

1. PATCH: Upgrade to TensorFlow >= 2.6.0, or apply backports 2.5.1, 2.4.3, 2.3.4. 2. DETECT: Audit TF version across all ML workloads—'pip show tensorflow' or check container base images. 3. WORKAROUND (if patching is blocked): Add input validation to reject empty tensors before passing to SparseFillEmptyRows ops. 4. HARDEN: Restrict direct TF op invocation to trusted users; do not expose raw TF op APIs to untrusted inputs. 5. MONITOR: Alert on TF process crashes or unexpected OOM errors in training/serving jobs as potential exploitation indicators.

What systems are affected by CVE-2021-37676?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, feature engineering pipelines, recommendation system backends.

What is the CVSS score for CVE-2021-37676?

CVE-2021-37676 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.SparseFillEmptyRows`. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/ops/sparse_ops.cc#L608-L634) does not validate that the input arguments are not empty tensors. We have patched the issue in GitHub commit 578e634b4f1c1c684d4b4294f9e5281b2133b3ed. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privilege access to a shared ML platform (e.g., a data scientist on a multi-tenant Jupyter environment, or a malicious batch job) submits a crafted dataset where sparse tensor inputs to SparseFillEmptyRows contain zero-element tensors. The shape inference code dereferences a null pointer, causing undefined behavior—likely a crash of the TF worker process. In a Kubernetes-based training cluster, this crashes the training pod, potentially corrupting in-progress model checkpoints. Against a TF Serving instance without input sanitization, repeated exploitation creates a reliable DoS against the inference endpoint.