CVE-2021-37677: TensorFlow DoS — MEDIUM

CISO Take

A local attacker with low privileges can crash TensorFlow inference processes by supplying an invalid axis value to the Dequantize op, triggering a segfault. Primary risk is model serving environments that accept user-controlled inputs or load externally sourced models. Patch immediately to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4—the fix is available and trivial to apply.

What is the risk?

Medium risk in isolated deployments, elevated in shared or internet-facing ML serving infrastructure. The local attack vector assumes the adversary can submit inference requests or control model inputs—realistic for any ML API or multi-tenant platform. Low complexity and no user interaction required means exploitation is straightforward once the vulnerable codepath is identified. Not in CISA KEV and no public exploits observed, but the broad deployment footprint of TensorFlow increases aggregate exposure across AI-heavy organizations.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: Upgrade to TensorFlow ≥2.6.0 or apply backports to 2.5.1, 2.4.3, or 2.3.4.
Input validation: Validate axis parameter before passing to Dequantize ops; reject values outside the range [-1, tensor_rank-1].
Process resilience: Run TF serving under a supervisor (systemd, supervisord, Kubernetes liveness probe) with auto-restart to minimize downtime from a crash.
Model vetting: Audit SavedModels sourced from third parties for suspicious Dequantize configurations before loading into production.
Detection: Alert on abnormal process crashes or segfaults in TF serving logs and unexpected inference service restarts.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system operation and monitoring — security controls

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to sustain beneficial uses of AI systems and address negative impacts

Frequently Asked Questions

What is CVE-2021-37677?

A local attacker with low privileges can crash TensorFlow inference processes by supplying an invalid axis value to the Dequantize op, triggering a segfault. Primary risk is model serving environments that accept user-controlled inputs or load externally sourced models. Patch immediately to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4—the fix is available and trivial to apply.

Is CVE-2021-37677 actively exploited?

No confirmed active exploitation of CVE-2021-37677 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37677?

1. Patch: Upgrade to TensorFlow ≥2.6.0 or apply backports to 2.5.1, 2.4.3, or 2.3.4. 2. Input validation: Validate axis parameter before passing to Dequantize ops; reject values outside the range [-1, tensor_rank-1]. 3. Process resilience: Run TF serving under a supervisor (systemd, supervisord, Kubernetes liveness probe) with auto-restart to minimize downtime from a crash. 4. Model vetting: Audit SavedModels sourced from third parties for suspicious Dequantize configurations before loading into production. 5. Detection: Alert on abnormal process crashes or segfaults in TF serving logs and unexpected inference service restarts.

What systems are affected by CVE-2021-37677?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines.

What is the CVSS score for CVE-2021-37677?

CVE-2021-37677 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.15%.

What is the AI security impact?

Affected AI Architectures

model servinginference APIstraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.3

NIST AI RMF: MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the shape inference code for `tf.raw_ops.Dequantize` has a vulnerability that could trigger a denial of service via a segfault if an attacker provides invalid arguments. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/ops/array_ops.cc#L2999-L3014) uses `axis` to select between two different values for `minmax_rank` which is then used to retrieve tensor dimensions. However, code assumes that `axis` can be either `-1` or a value greater than `-1`, with no validation for the other values. We have patched the issue in GitHub commit da857cfa0fde8f79ad0afdbc94e88b5d4bbec764. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targets an organization's quantized model serving API. By crafting a request that triggers tf.raw_ops.Dequantize with an axis value below -1 (e.g., -2), the shape inference code computes an invalid minmax_rank, accesses out-of-bounds tensor dimensions, and causes a segfault—crashing the serving process. Without auto-restart configured, the inference endpoint goes offline. The attack is repeatable: if auto-restart is in place, rapid repeated crafted requests create a sustained crash loop, effectively producing a persistent DoS against the ML service with minimal attacker effort.

Weaknesses (CWE)

CWE-1284 Improper Validation of Specified Quantity in Input Primary CWE-20 Improper Input Validation

CWE-1284 — Improper Validation of Specified Quantity in Input: The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis

Source: MITRE CWE corpus.