AI Threat Alert

CVE-2021-37681: TensorFlow Lite: null ptr deref crashes SVDF inference

HIGH
Published August 12, 2021
CISO Take

Teams running TensorFlow Lite inference with SVDF layers (common in keyword-spotting and speech models) are exposed to application crashes and potential code execution on affected versions. Upgrade to TF 2.6.0 or the respective cherrypick backports (2.5.1, 2.4.3, 2.3.4) immediately. Edge AI and mobile deployments are highest risk given local attacker access requirements.

What is the risk?

CVSS 7.8 is meaningful here despite the local attack vector: edge AI devices (IoT, mobile, embedded), shared inference servers, and Jupyter/notebook environments all present realistic local-access scenarios for adversaries. The low complexity and no user-interaction requirements make exploitation straightforward once local access is achieved. Not in CISA KEV and predates active AI model serving proliferation, reducing urgency for cloud-only deployments.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 7% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.6.0 or apply cherrypick commit 5b048e87e4e55990dae6b547add4dae59f4e1c76 to 2.5.x/2.4.x/2.3.x branches.

  2. Inventory: Identify all TFLite deployments using SVDF-containing models (grep model files for SVDF op type).

  3. Workaround: Validate model graph before loading — reject models with SVDF ops on unpatched runtimes.

  4. Detection: Monitor inference process crash rates; unexpected TFLite segfaults on SVDF inference paths indicate attempted exploitation.

  5. Edge devices: Prioritize OTA updates for devices running TFLite-based speech/wake-word models.

How is it classified?

Code Execution DoS Framework Inference AML.T0010.001 AML.T0011.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
MANAGE-2.2 - Mechanisms to respond to and recover from AI risks
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2021-37681?

Teams running TensorFlow Lite inference with SVDF layers (common in keyword-spotting and speech models) are exposed to application crashes and potential code execution on affected versions. Upgrade to TF 2.6.0 or the respective cherrypick backports (2.5.1, 2.4.3, 2.3.4) immediately. Edge AI and mobile deployments are highest risk given local attacker access requirements.

Is CVE-2021-37681 actively exploited?

No confirmed active exploitation of CVE-2021-37681 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37681?

1. Patch: Upgrade to TensorFlow 2.6.0 or apply cherrypick commit 5b048e87e4e55990dae6b547add4dae59f4e1c76 to 2.5.x/2.4.x/2.3.x branches. 2. Inventory: Identify all TFLite deployments using SVDF-containing models (grep model files for SVDF op type). 3. Workaround: Validate model graph before loading — reject models with SVDF ops on unpatched runtimes. 4. Detection: Monitor inference process crash rates; unexpected TFLite segfaults on SVDF inference paths indicate attempted exploitation. 5. Edge devices: Prioritize OTA updates for devices running TFLite-based speech/wake-word models.

What systems are affected by CVE-2021-37681?

This vulnerability affects the following AI/ML architecture patterns: on-device inference (mobile/IoT), TFLite model serving, speech/keyword detection pipelines, training pipelines with TFLite conversion, edge AI deployments.

What is the CVSS score for CVE-2021-37681?

CVE-2021-37681 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

on-device inference (mobile/IoT)TFLite model servingspeech/keyword detection pipelinestraining pipelines with TFLite conversionedge AI deployments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.001 Malicious Package
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of SVDF in TFLite is [vulnerable to a null pointer error](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/svdf.cc#L300-L313). The [`GetVariableInput` function](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L115-L119) can return a null pointer but `GetTensorData` assumes that the argument is always a valid tensor. Furthermore, because `GetVariableInput` calls [`GetMutableInput`](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L82-L90) which might return `nullptr`, the `tensor->is_variable` expression can also trigger a null pointer exception. We have patched the issue in GitHub commit 5b048e87e4e55990dae6b547add4dae59f4e1c76. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with local access to a system running a TFLite-based speech recognition or keyword detection application crafts or modifies a TFLite model with a malformed SVDF layer that causes GetVariableInput to return a null pointer. When the application loads and runs inference on this model, GetTensorData dereferences the null pointer — crashing the inference process (DoS). On embedded targets with predictable memory layout, this primitive can be chained with a heap grooming technique to redirect execution flow. In a shared ML inference server or a containerized AI workload with untrusted model uploads, an attacker could crash the serving process repeatedly, achieving persistent denial of the AI service.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed