CVE-2021-37682 — HIGH (CVSS 7.1) AI Security Vulnerability

CISO Take

TFLite's quantized inference ops read uninitialized memory when quantization type checks are missing, enabling integrity corruption and crashes. If your organization deploys TFLite on edge, mobile, or embedded devices, patch immediately to TF 2.6.0 or the applicable cherrypick release. This is a local-only attack but low-privilege access is sufficient — any user or process that can feed a crafted model to a TFLite runtime is in scope.

Risk Assessment

Risk is moderate in isolation (local AV, no confidentiality impact) but elevated in shared or multi-tenant edge/mobile deployments. An adversary with local access or the ability to supply a crafted .tflite model can trigger undefined behavior across all quantized ops — a broad attack surface given quantization is ubiquitous in TFLite deployments for performance. The lack of CISA KEV listing and no public exploits reduce urgency, but the low complexity and low privilege bar mean exploitation is not gated by sophistication.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I High

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.6.0, or apply cherrypick commits to TF 2.5.1, 2.4.3, or 2.3.4 (commits 537bc7c, 4a91f20, 8933b8a).
Inventory: Identify all TFLite deployments in production — especially mobile SDKs, edge devices, and any microservice running a .tflite model.
Model provenance: Enforce signed/trusted model artifact pipelines — do not load .tflite files from untrusted or user-supplied sources.
Detection: Monitor inference runtime for unexpected crashes or segfaults in TFLite processes; treat repeated crashes as potential exploitation attempts.
Short-term workaround if patching is blocked: Validate quantization.type != kTfLiteNoQuantization before any ops access quantization.params at the application layer.

Classification

Code Execution DoS Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 4.1 - Residual risks and incidents from AI systems are monitored and managed

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2021-37682?

TFLite's quantized inference ops read uninitialized memory when quantization type checks are missing, enabling integrity corruption and crashes. If your organization deploys TFLite on edge, mobile, or embedded devices, patch immediately to TF 2.6.0 or the applicable cherrypick release. This is a local-only attack but low-privilege access is sufficient — any user or process that can feed a crafted model to a TFLite runtime is in scope.

Is CVE-2021-37682 actively exploited?

No confirmed active exploitation of CVE-2021-37682 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37682?

1. Patch: Upgrade to TensorFlow 2.6.0, or apply cherrypick commits to TF 2.5.1, 2.4.3, or 2.3.4 (commits 537bc7c, 4a91f20, 8933b8a). 2. Inventory: Identify all TFLite deployments in production — especially mobile SDKs, edge devices, and any microservice running a .tflite model. 3. Model provenance: Enforce signed/trusted model artifact pipelines — do not load .tflite files from untrusted or user-supplied sources. 4. Detection: Monitor inference runtime for unexpected crashes or segfaults in TFLite processes; treat repeated crashes as potential exploitation attempts. 5. Short-term workaround if patching is blocked: Validate quantization.type != kTfLiteNoQuantization before any ops access quantization.params at the application layer.

What systems are affected by CVE-2021-37682?

This vulnerability affects the following AI/ML architecture patterns: edge AI inference, mobile ML deployment, on-device TFLite model serving, embedded/MCU ML pipelines, model validation pipelines.

What is the CVSS score for CVE-2021-37682?

CVE-2021-37682 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions all TFLite operations that use quantization can be made to use unitialized values. [For example](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/depthwise_conv.cc#L198-L200). The issue stems from the fact that `quantization.params` is only valid if `quantization.type` is different that `kTfLiteNoQuantization`. However, these checks are missing in large parts of the code. We have patched the issue in GitHub commits 537bc7c723439b9194a358f64d871dd326c18887, 4a91f2069f7145aab6ba2d8cfe41be8a110c18a5 and 8933b8a21280696ab119b63263babdb54c298538. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with local access (or the ability to inject a malicious .tflite model into a CI/CD pipeline or model registry) crafts a TFLite model where quantization.type is set to kTfLiteNoQuantization but downstream ops attempt to read quantization.params without the missing type-check guard. When the model is loaded and executed — in a mobile app, an edge inference server, or a model validation pipeline — the runtime accesses uninitialized stack/heap memory. Depending on memory layout, this produces corrupted quantized tensor outputs (silent integrity failure: model predicts wrong class) or crashes the process (DoS). In a CI/CD context where models are automatically validated, a poisoned model could crash the testing harness and block releases.