CVE-2021-37680 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with low privileges can crash TensorFlow Lite inference by supplying a malformed model that triggers a division by zero in fully connected layer processing. No data exfiltration or code execution risk — impact is confined to availability. Patch to TF 2.6.0 immediately, or apply the backport commit to 2.3.x–2.5.x; this is a straightforward dependency update.

Risk Assessment

Medium risk overall (CVSS 5.5). Exploitability is low-bar — requires only local access and low privileges with no user interaction. Impact is limited to availability (application crash/DoS); there is zero confidentiality or integrity exposure. Risk elevates in deployments where untrusted or user-supplied TFLite models are loaded, effectively making this remotely triggerable through the model-upload surface. Not in CISA KEV and no evidence of active exploitation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Upgrade to TensorFlow 2.6.0 or apply cherry-picked commit 718721986aa137691ee23f03638867151f74935f to TF 2.5.1, 2.4.3, or 2.3.4.
Validate model files before loading — reject TFLite models with zero-dimension fully connected layer configurations using a pre-load schema check.
Run TFLite inference in isolated processes or sandboxes to contain crash blast radius.
Audit any pipeline accepting external or user-supplied TFLite model files as an untrusted input surface.
Monitor inference services for unexpected crashes or process restarts as a detection heuristic.

Classification

DoS Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity of high-risk AI systems

ISO 42001

A.9.7 - Vulnerability management for AI systems

NIST AI RMF

GOVERN 1.2 - Organizational policies and practices for AI risk management MANAGE 2.2 - Mechanisms to respond to and recover from AI errors and incidents

Frequently Asked Questions

What is CVE-2021-37680?

A local attacker with low privileges can crash TensorFlow Lite inference by supplying a malformed model that triggers a division by zero in fully connected layer processing. No data exfiltration or code execution risk — impact is confined to availability. Patch to TF 2.6.0 immediately, or apply the backport commit to 2.3.x–2.5.x; this is a straightforward dependency update.

Is CVE-2021-37680 actively exploited?

No confirmed active exploitation of CVE-2021-37680 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37680?

1. Upgrade to TensorFlow 2.6.0 or apply cherry-picked commit 718721986aa137691ee23f03638867151f74935f to TF 2.5.1, 2.4.3, or 2.3.4. 2. Validate model files before loading — reject TFLite models with zero-dimension fully connected layer configurations using a pre-load schema check. 3. Run TFLite inference in isolated processes or sandboxes to contain crash blast radius. 4. Audit any pipeline accepting external or user-supplied TFLite model files as an untrusted input surface. 5. Monitor inference services for unexpected crashes or process restarts as a detection heuristic.

What systems are affected by CVE-2021-37680?

This vulnerability affects the following AI/ML architecture patterns: edge/mobile inference, model serving, MLOps evaluation pipelines, on-device AI.

What is the CVSS score for CVE-2021-37680?

CVE-2021-37680 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of fully connected layers in TFLite is [vulnerable to a division by zero error](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/fully_connected.cc#L226). We have patched the issue in GitHub commit 718721986aa137691ee23f03638867151f74935f. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with local access, or the ability to supply a malicious .tflite model file to an application, crafts a model where the fully connected layer contains a zero-valued dimension parameter. When the application loads and executes the model, the TFLite kernel performs an integer division by zero, crashing the inference process. In an edge AI device context (e.g., an autonomous system or IoT sensor), this disrupts safety-critical inference availability. In a model-evaluation-as-a-service context where users can upload models for batch inference, the local vulnerability becomes remotely triggerable, enabling repeated DoS against the inference endpoint by any authenticated user.