CVE-2021-37681 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Teams running TensorFlow Lite inference with SVDF layers (common in keyword-spotting and speech models) are exposed to application crashes and potential code execution on affected versions. Upgrade to TF 2.6.0 or the respective cherrypick backports (2.5.1, 2.4.3, 2.3.4) immediately. Edge AI and mobile deployments are highest risk given local attacker access requirements.

Risk Assessment

CVSS 7.8 is meaningful here despite the local attack vector: edge AI devices (IoT, mobile, embedded), shared inference servers, and Jupyter/notebook environments all present realistic local-access scenarios for adversaries. The low complexity and no user-interaction requirements make exploitation straightforward once local access is achieved. Not in CISA KEV and predates active AI model serving proliferation, reducing urgency for cloud-only deployments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.6.0 or apply cherrypick commit 5b048e87e4e55990dae6b547add4dae59f4e1c76 to 2.5.x/2.4.x/2.3.x branches.
Inventory: Identify all TFLite deployments using SVDF-containing models (grep model files for SVDF op type).
Workaround: Validate model graph before loading — reject models with SVDF ops on unpatched runtimes.
Detection: Monitor inference process crash rates; unexpected TFLite segfaults on SVDF inference paths indicate attempted exploitation.
Edge devices: Prioritize OTA updates for devices running TFLite-based speech/wake-word models.

Classification

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0011.001 - Malicious Package AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to respond to and recover from AI risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2021-37681?

Teams running TensorFlow Lite inference with SVDF layers (common in keyword-spotting and speech models) are exposed to application crashes and potential code execution on affected versions. Upgrade to TF 2.6.0 or the respective cherrypick backports (2.5.1, 2.4.3, 2.3.4) immediately. Edge AI and mobile deployments are highest risk given local attacker access requirements.

Is CVE-2021-37681 actively exploited?

No confirmed active exploitation of CVE-2021-37681 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37681?

1. Patch: Upgrade to TensorFlow 2.6.0 or apply cherrypick commit 5b048e87e4e55990dae6b547add4dae59f4e1c76 to 2.5.x/2.4.x/2.3.x branches. 2. Inventory: Identify all TFLite deployments using SVDF-containing models (grep model files for SVDF op type). 3. Workaround: Validate model graph before loading — reject models with SVDF ops on unpatched runtimes. 4. Detection: Monitor inference process crash rates; unexpected TFLite segfaults on SVDF inference paths indicate attempted exploitation. 5. Edge devices: Prioritize OTA updates for devices running TFLite-based speech/wake-word models.

What systems are affected by CVE-2021-37681?

This vulnerability affects the following AI/ML architecture patterns: on-device inference (mobile/IoT), TFLite model serving, speech/keyword detection pipelines, training pipelines with TFLite conversion, edge AI deployments.

What is the CVSS score for CVE-2021-37681?

CVE-2021-37681 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of SVDF in TFLite is [vulnerable to a null pointer error](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/svdf.cc#L300-L313). The [`GetVariableInput` function](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L115-L119) can return a null pointer but `GetTensorData` assumes that the argument is always a valid tensor. Furthermore, because `GetVariableInput` calls [`GetMutableInput`](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/kernel_util.cc#L82-L90) which might return `nullptr`, the `tensor->is_variable` expression can also trigger a null pointer exception. We have patched the issue in GitHub commit 5b048e87e4e55990dae6b547add4dae59f4e1c76. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with local access to a system running a TFLite-based speech recognition or keyword detection application crafts or modifies a TFLite model with a malformed SVDF layer that causes GetVariableInput to return a null pointer. When the application loads and runs inference on this model, GetTensorData dereferences the null pointer — crashing the inference process (DoS). On embedded targets with predictable memory layout, this primitive can be chained with a heap grooming technique to redirect execution flow. In a shared ML inference server or a containerized AI workload with untrusted model uploads, an attacker could crash the serving process repeatedly, achieving persistent denial of the AI service.