AI Threat Alert

CVE-2021-37682: TFLite: uninitialized quant params corrupt inference

HIGH
Published August 12, 2021
CISO Take

TFLite's quantized inference ops read uninitialized memory when quantization type checks are missing, enabling integrity corruption and crashes. If your organization deploys TFLite on edge, mobile, or embedded devices, patch immediately to TF 2.6.0 or the applicable cherrypick release. This is a local-only attack but low-privilege access is sufficient — any user or process that can feed a crafted model to a TFLite runtime is in scope.

What is the risk?

Risk is moderate in isolation (local AV, no confidentiality impact) but elevated in shared or multi-tenant edge/mobile deployments. An adversary with local access or the ability to supply a crafted .tflite model can trigger undefined behavior across all quantized ops — a broad attack surface given quantization is ubiquitous in TFLite deployments for performance. The lack of CISA KEV listing and no public exploits reduce urgency, but the low complexity and low privilege bar mean exploitation is not gated by sophistication.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.1 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 8% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I High
A High

What should I do?

5 steps

  1. Patch: Upgrade to TensorFlow 2.6.0, or apply cherrypick commits to TF 2.5.1, 2.4.3, or 2.3.4 (commits 537bc7c, 4a91f20, 8933b8a).

  2. Inventory: Identify all TFLite deployments in production — especially mobile SDKs, edge devices, and any microservice running a .tflite model.

  3. Model provenance: Enforce signed/trusted model artifact pipelines — do not load .tflite files from untrusted or user-supplied sources.

  4. Detection: Monitor inference runtime for unexpected crashes or segfaults in TFLite processes; treat repeated crashes as potential exploitation attempts.

  5. Short-term workaround if patching is blocked: Validate quantization.type != kTfLiteNoQuantization before any ops access quantization.params at the application layer.

How is it classified?

Code Execution DoS Supply Chain Framework Inference AML.T0010.001 AML.T0011.000 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - AI risk assessment
NIST AI RMF
MANAGE 4.1 - Residual risks and incidents from AI systems are monitored and managed
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2021-37682?

TFLite's quantized inference ops read uninitialized memory when quantization type checks are missing, enabling integrity corruption and crashes. If your organization deploys TFLite on edge, mobile, or embedded devices, patch immediately to TF 2.6.0 or the applicable cherrypick release. This is a local-only attack but low-privilege access is sufficient — any user or process that can feed a crafted model to a TFLite runtime is in scope.

Is CVE-2021-37682 actively exploited?

No confirmed active exploitation of CVE-2021-37682 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37682?

1. Patch: Upgrade to TensorFlow 2.6.0, or apply cherrypick commits to TF 2.5.1, 2.4.3, or 2.3.4 (commits 537bc7c, 4a91f20, 8933b8a). 2. Inventory: Identify all TFLite deployments in production — especially mobile SDKs, edge devices, and any microservice running a .tflite model. 3. Model provenance: Enforce signed/trusted model artifact pipelines — do not load .tflite files from untrusted or user-supplied sources. 4. Detection: Monitor inference runtime for unexpected crashes or segfaults in TFLite processes; treat repeated crashes as potential exploitation attempts. 5. Short-term workaround if patching is blocked: Validate quantization.type != kTfLiteNoQuantization before any ops access quantization.params at the application layer.

What systems are affected by CVE-2021-37682?

This vulnerability affects the following AI/ML architecture patterns: edge AI inference, mobile ML deployment, on-device TFLite model serving, embedded/MCU ML pipelines, model validation pipelines.

What is the CVSS score for CVE-2021-37682?

CVE-2021-37682 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.18%.

What is the AI security impact?

Affected AI Architectures

edge AI inferencemobile ML deploymenton-device TFLite model servingembedded/MCU ML pipelinesmodel validation pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 6.1.2
NIST AI RMF: MANAGE 4.1
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions all TFLite operations that use quantization can be made to use unitialized values. [For example](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/depthwise_conv.cc#L198-L200). The issue stems from the fact that `quantization.params` is only valid if `quantization.type` is different that `kTfLiteNoQuantization`. However, these checks are missing in large parts of the code. We have patched the issue in GitHub commits 537bc7c723439b9194a358f64d871dd326c18887, 4a91f2069f7145aab6ba2d8cfe41be8a110c18a5 and 8933b8a21280696ab119b63263babdb54c298538. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with local access (or the ability to inject a malicious .tflite model into a CI/CD pipeline or model registry) crafts a TFLite model where quantization.type is set to kTfLiteNoQuantization but downstream ops attempt to read quantization.params without the missing type-check guard. When the model is loaded and executed — in a mobile app, an edge inference server, or a model validation pipeline — the runtime accesses uninitialized stack/heap memory. Depending on memory layout, this produces corrupted quantized tensor outputs (silent integrity failure: model predicts wrong class) or crashes the process (DoS). In a CI/CD context where models are automatically validated, a poisoned model could crash the testing harness and block releases.

Weaknesses (CWE)

CWE-908 Use of Uninitialized Resource

CWE-908 — Use of Uninitialized Resource: The product uses or accesses a resource that has not been initialized.

  • [Implementation] Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
  • [Implementation] Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed