CVE-2021-37684 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

This medium-severity vulnerability allows a local attacker to crash TFLite inference processes by supplying malformed tensor inputs to pooling operations, causing a division-by-zero fault. Impact is limited to availability — no data exposure or code execution. Patch to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 if running TFLite in edge/mobile deployments; no compensating control exists short of input validation at the application layer.

Risk Assessment

Practical risk is low-to-medium. Exploitation requires local access (AV:L) and only impacts availability (A:H), with no confidentiality or integrity exposure. The attack is trivial to execute — a crafted zero-dimension tensor input suffices — but the local access requirement significantly limits the attacker pool. Most at risk are edge/IoT deployments where physical or process-level access may be more readily available. Not in CISA KEV; no evidence of active exploitation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch immediately to TF 2.6.0 or cherrypicked versions: 2.5.1, 2.4.3, 2.3.4.
Audit all mobile/edge applications bundling TFLite to confirm runtime version.
As interim workaround: add application-layer validation to reject tensors with zero-valued spatial dimensions before passing to pooling layers.
Detection: monitor inference processes for unexpected crashes or SIGFPE signals; log and alert on abnormal tensor shapes at inference endpoints.
For containerized edge deployments, enforce process restart policies to minimize downtime.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.3 - AI system testing and verification A.9.2 - AI system availability and resilience

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain AI system trustworthiness MAP-1.1 - Context is established for AI risk assessment

Frequently Asked Questions

What is CVE-2021-37684?

This medium-severity vulnerability allows a local attacker to crash TFLite inference processes by supplying malformed tensor inputs to pooling operations, causing a division-by-zero fault. Impact is limited to availability — no data exposure or code execution. Patch to TensorFlow 2.6.0, 2.5.1, 2.4.3, or 2.3.4 if running TFLite in edge/mobile deployments; no compensating control exists short of input validation at the application layer.

Is CVE-2021-37684 actively exploited?

No confirmed active exploitation of CVE-2021-37684 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37684?

1. Patch immediately to TF 2.6.0 or cherrypicked versions: 2.5.1, 2.4.3, 2.3.4. 2. Audit all mobile/edge applications bundling TFLite to confirm runtime version. 3. As interim workaround: add application-layer validation to reject tensors with zero-valued spatial dimensions before passing to pooling layers. 4. Detection: monitor inference processes for unexpected crashes or SIGFPE signals; log and alert on abnormal tensor shapes at inference endpoints. 5. For containerized edge deployments, enforce process restart policies to minimize downtime.

What systems are affected by CVE-2021-37684?

This vulnerability affects the following AI/ML architecture patterns: edge inference (TFLite), mobile ML deployment, embedded AI systems, model serving pipelines using TFLite runtime.

What is the CVSS score for CVE-2021-37684?

CVE-2021-37684 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementations of pooling in TFLite are vulnerable to division by 0 errors as there are no checks for divisors not being 0. We have patched the issue in GitHub commit [dfa22b348b70bb89d6d6ec0ff53973bacb4f4695](https://github.com/tensorflow/tensorflow/commit/dfa22b348b70bb89d6d6ec0ff53973bacb4f4695). The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with local process access — or API access to a TFLite inference endpoint accepting user-supplied model inputs — crafts a tensor with one or more spatial dimensions set to zero and submits it to any pooling operation (e.g., MaxPool2D). The kernel attempts to compute output size by dividing by zero, triggering an unhandled exception and crashing the inference process. In a continuous inference pipeline (e.g., real-time video processing on an edge device), repeated submission causes persistent denial of service without requiring elevated privileges.