CVE-2021-37677 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with low privileges can crash TensorFlow inference processes by supplying an invalid axis value to the Dequantize op, triggering a segfault. Primary risk is model serving environments that accept user-controlled inputs or load externally sourced models. Patch immediately to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4—the fix is available and trivial to apply.

Risk Assessment

Medium risk in isolated deployments, elevated in shared or internet-facing ML serving infrastructure. The local attack vector assumes the adversary can submit inference requests or control model inputs—realistic for any ML API or multi-tenant platform. Low complexity and no user interaction required means exploitation is straightforward once the vulnerable codepath is identified. Not in CISA KEV and no public exploits observed, but the broad deployment footprint of TensorFlow increases aggregate exposure across AI-heavy organizations.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow ≥2.6.0 or apply backports to 2.5.1, 2.4.3, or 2.3.4.
Input validation: Validate axis parameter before passing to Dequantize ops; reject values outside the range [-1, tensor_rank-1].
Process resilience: Run TF serving under a supervisor (systemd, supervisord, Kubernetes liveness probe) with auto-restart to minimize downtime from a crash.
Model vetting: Audit SavedModels sourced from third parties for suspicious Dequantize configurations before loading into production.
Detection: Alert on abnormal process crashes or segfaults in TF serving logs and unexpected inference service restarts.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system operation and monitoring — security controls

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to sustain beneficial uses of AI systems and address negative impacts

Frequently Asked Questions

What is CVE-2021-37677?

A local attacker with low privileges can crash TensorFlow inference processes by supplying an invalid axis value to the Dequantize op, triggering a segfault. Primary risk is model serving environments that accept user-controlled inputs or load externally sourced models. Patch immediately to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4—the fix is available and trivial to apply.

Is CVE-2021-37677 actively exploited?

No confirmed active exploitation of CVE-2021-37677 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37677?

1. Patch: Upgrade to TensorFlow ≥2.6.0 or apply backports to 2.5.1, 2.4.3, or 2.3.4. 2. Input validation: Validate axis parameter before passing to Dequantize ops; reject values outside the range [-1, tensor_rank-1]. 3. Process resilience: Run TF serving under a supervisor (systemd, supervisord, Kubernetes liveness probe) with auto-restart to minimize downtime from a crash. 4. Model vetting: Audit SavedModels sourced from third parties for suspicious Dequantize configurations before loading into production. 5. Detection: Alert on abnormal process crashes or segfaults in TF serving logs and unexpected inference service restarts.

What systems are affected by CVE-2021-37677?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines.

What is the CVSS score for CVE-2021-37677?

CVE-2021-37677 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the shape inference code for `tf.raw_ops.Dequantize` has a vulnerability that could trigger a denial of service via a segfault if an attacker provides invalid arguments. The shape inference [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/ops/array_ops.cc#L2999-L3014) uses `axis` to select between two different values for `minmax_rank` which is then used to retrieve tensor dimensions. However, code assumes that `axis` can be either `-1` or a value greater than `-1`, with no validation for the other values. We have patched the issue in GitHub commit da857cfa0fde8f79ad0afdbc94e88b5d4bbec764. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targets an organization's quantized model serving API. By crafting a request that triggers tf.raw_ops.Dequantize with an axis value below -1 (e.g., -2), the shape inference code computes an invalid minmax_rank, accesses out-of-bounds tensor dimensions, and causes a segfault—crashing the serving process. Without auto-restart configured, the inference endpoint goes offline. The attack is repeatable: if auto-restart is in place, rapid repeated crafted requests create a sustained crash loop, effectively producing a persistent DoS against the ML service with minimal attacker effort.