AI Threat Alert

CVE-2021-37676: TensorFlow: null ptr deref in SparseFillEmptyRows op

HIGH
Published August 12, 2021
CISO Take

A local attacker with low privileges can trigger undefined behavior (null pointer dereference) in TensorFlow's SparseFillEmptyRows op by passing empty tensors, potentially crashing training jobs or inference servers. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately—the fix is available and backported across all supported branches. Priority is elevated in shared ML compute environments (e.g., Jupyter hubs, model serving clusters) where multiple users or processes have local access.

What is the risk?

Risk is HIGH in multi-tenant or shared ML infrastructure where untrusted users can submit jobs or invoke ops directly. The local attack vector and low privilege requirement make this realistic for any environment where data scientists or external users have shell access or notebook execution rights. Not in CISA KEV and no evidence of active exploitation, which reduces urgency slightly, but the low complexity and broad TF install base in enterprise ML pipelines keep this as a priority patch item.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 7% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to TensorFlow >= 2.6.0, or apply backports 2.5.1, 2.4.3, 2.3.4.

  2. DETECT

    Audit TF version across all ML workloads—'pip show tensorflow' or check container base images.

  3. WORKAROUND (if patching is blocked): Add input validation to reject empty tensors before passing to SparseFillEmptyRows ops.

  4. HARDEN

    Restrict direct TF op invocation to trusted users; do not expose raw TF op APIs to untrusted inputs.

  5. MONITOR

    Alert on TF process crashes or unexpected OOM errors in training/serving jobs as potential exploitation indicators.

How is it classified?

Code Execution DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system for high-risk AI
ISO 42001
A.6.2.6 - AI system component security
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI risk governance MANAGE 2.2 - Risk treatments including response and recovery plans
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37676?

A local attacker with low privileges can trigger undefined behavior (null pointer dereference) in TensorFlow's SparseFillEmptyRows op by passing empty tensors, potentially crashing training jobs or inference servers. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4 immediately—the fix is available and backported across all supported branches. Priority is elevated in shared ML compute environments (e.g., Jupyter hubs, model serving clusters) where multiple users or processes have local access.

Is CVE-2021-37676 actively exploited?

No confirmed active exploitation of CVE-2021-37676 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37676?

1. PATCH: Upgrade to TensorFlow >= 2.6.0, or apply backports 2.5.1, 2.4.3, 2.3.4. 2. DETECT: Audit TF version across all ML workloads—'pip show tensorflow' or check container base images. 3. WORKAROUND (if patching is blocked): Add input validation to reject empty tensors before passing to SparseFillEmptyRows ops. 4. HARDEN: Restrict direct TF op invocation to trusted users; do not expose raw TF op APIs to untrusted inputs. 5. MONITOR: Alert on TF process crashes or unexpected OOM errors in training/serving jobs as potential exploitation indicators.

What systems are affected by CVE-2021-37676?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, feature engineering pipelines, recommendation system backends.

What is the CVSS score for CVE-2021-37676?

CVE-2021-37676 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingfeature engineering pipelinesrecommendation system backends

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.2.6
NIST AI RMF: GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.SparseFillEmptyRows`. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/ops/sparse_ops.cc#L608-L634) does not validate that the input arguments are not empty tensors. We have patched the issue in GitHub commit 578e634b4f1c1c684d4b4294f9e5281b2133b3ed. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privilege access to a shared ML platform (e.g., a data scientist on a multi-tenant Jupyter environment, or a malicious batch job) submits a crafted dataset where sparse tensor inputs to SparseFillEmptyRows contain zero-element tensors. The shape inference code dereferences a null pointer, causing undefined behavior—likely a crash of the TF worker process. In a Kubernetes-based training cluster, this crashes the training pod, potentially corrupting in-progress model checkpoints. Against a TF Serving instance without input sanitization, repeated exploitation creates a reliable DoS against the inference endpoint.

Weaknesses (CWE)

CWE-824 Access of Uninitialized Pointer

CWE-824 — Access of Uninitialized Pointer: The product accesses or uses a pointer that has not been initialized.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed