AI Threat Alert

CVE-2021-37683: TFLite: division by zero DoS in inference kernels

MEDIUM
Published August 12, 2021
CISO Take

TensorFlow Lite's DIV kernel has no zero-check on divisor tensors, allowing a local attacker to crash any inference process using division operations. Patch to TF 2.6.0 / 2.5.1 / 2.4.3 / 2.3.4 immediately on all affected deployments. Edge AI systems processing externally-sourced input data face the highest exposure—input validation at the pipeline boundary is the critical compensating control.

What is the risk?

MEDIUM risk in standard deployments, elevated in edge/IoT scenarios where input data originates from untrusted sources. Attack vector is local per CVSS, but many TFLite deployments process data from external sensors, cameras, or network feeds—effectively extending the attack surface beyond local access. Exploitation is trivial once the vulnerable code path is identified. No active exploitation observed, not in CISA KEV. Impact is availability-only; confidentiality and integrity are unaffected.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 5% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch immediately: Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 (commit 1e206baedf8bef0334cca3eb92bab134ef525a28).

  2. Input validation: Reject or sanitize tensors containing zero values upstream before any DIV operation in inference pipelines.

  3. Process isolation: Run TFLite inference in sandboxed processes so a crash cannot destabilize the parent application or system.

  4. Detection: Alert on anomalous inference process crash rates—repeated crashes from specific input sources may indicate exploitation.

  5. Asset inventory: Enumerate all services and applications using TFLite with division layers to scope patching effort before the next release cycle.

How is it classified?

DoS Framework Inference AML.T0029 AML.T0043 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2 - AI System Robustness and Reliability
NIST AI RMF
MANAGE-2.2 - Sustain AI System Value and Reduce Negative Impacts
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-37683?

TensorFlow Lite's DIV kernel has no zero-check on divisor tensors, allowing a local attacker to crash any inference process using division operations. Patch to TF 2.6.0 / 2.5.1 / 2.4.3 / 2.3.4 immediately on all affected deployments. Edge AI systems processing externally-sourced input data face the highest exposure—input validation at the pipeline boundary is the critical compensating control.

Is CVE-2021-37683 actively exploited?

No confirmed active exploitation of CVE-2021-37683 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37683?

1. Patch immediately: Upgrade to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 (commit 1e206baedf8bef0334cca3eb92bab134ef525a28). 2. Input validation: Reject or sanitize tensors containing zero values upstream before any DIV operation in inference pipelines. 3. Process isolation: Run TFLite inference in sandboxed processes so a crash cannot destabilize the parent application or system. 4. Detection: Alert on anomalous inference process crash rates—repeated crashes from specific input sources may indicate exploitation. 5. Asset inventory: Enumerate all services and applications using TFLite with division layers to scope patching effort before the next release cycle.

What systems are affected by CVE-2021-37683?

This vulnerability affects the following AI/ML architecture patterns: Edge inference (TFLite on mobile/embedded), On-device ML applications (Android/iOS), IoT sensor processing pipelines, Real-time inference systems, Automated ML inference pipelines.

What is the CVSS score for CVE-2021-37683?

CVE-2021-37683 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.15%.

What is the AI security impact?

Affected AI Architectures

Edge inference (TFLite on mobile/embedded)On-device ML applications (Android/iOS)IoT sensor processing pipelinesReal-time inference systemsAutomated ML inference pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0043 Craft Adversarial Data
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of division in TFLite is [vulnerable to a division by 0 error](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/div.cc). There is no check that the divisor tensor does not contain zero elements. We have patched the issue in GitHub commit 1e206baedf8bef0334cca3eb92bab134ef525a28. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an edge AI deployment (e.g., a smart camera running TFLite object detection or a mobile app performing on-device inference) crafts or tampers with input data to introduce a tensor containing zero-valued elements in a position used as a divisor by the model's DIV operation. When the inference engine processes this input, the unguarded division-by-zero in div.cc causes the TFLite runtime to crash or enter undefined behavior. By repeatedly injecting such inputs—via a poisoned data feed, manipulated camera frame, or malicious file processed by the app—the adversary sustains denial of the AI inference service. In automated pipelines with no manual oversight, this disruption persists until the process restarts or the input source is investigated.

Weaknesses (CWE)

CWE-369 Divide By Zero Primary CWE-369 Divide By Zero

CWE-369 — Divide By Zero: The product divides a value by zero.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
August 12, 2021
Last Modified
November 21, 2024
First Seen
August 12, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed