CVE-2021-37685 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A low-privilege local attacker can trigger a heap out-of-bounds read in TFLite's expand_dims kernel by passing a large negative axis value, potentially leaking heap memory contents including model data or process secrets. Patch immediately to TF 2.6.0 or apply backports to 2.5.1/2.4.3/2.3.4. Risk is highest in shared ML infrastructure or edge deployments that execute untrusted TFLite models.

Risk Assessment

Medium risk (CVSS 5.5). Local attack vector limits broad exposure, but low attack complexity and no user interaction required means exploitation is straightforward once local access is obtained. In multi-tenant ML training environments or model serving platforms processing user-supplied TFLite models, the confidentiality impact is material. Not in CISA KEV; no active exploitation reported. Severity is bounded by local-only vector.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

Upgrade to TensorFlow 2.6.0 or apply backport patches to TF 2.5.1, 2.4.3, or 2.3.4 (commit d94ffe08a65400f898241c0374e9edc6fa8ed257).
Audit all TFLite model sources — implement allowlisting and cryptographic verification of .tflite files before execution.
Run TFLite inference in sandboxed, least-privilege processes to limit blast radius of any memory disclosure.
Enable memory-safety tooling (ASAN/MSAN) in CI/CD pipelines to catch similar OOB issues before production.
Monitor for anomalous model loading from untrusted or unexpected sources in ML serving logs.

Classification

Data Extraction Privacy Violation Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security and resilience

NIST AI RMF

MANAGE-2.2 - Manage AI risks through established processes

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37685?

A low-privilege local attacker can trigger a heap out-of-bounds read in TFLite's expand_dims kernel by passing a large negative axis value, potentially leaking heap memory contents including model data or process secrets. Patch immediately to TF 2.6.0 or apply backports to 2.5.1/2.4.3/2.3.4. Risk is highest in shared ML infrastructure or edge deployments that execute untrusted TFLite models.

Is CVE-2021-37685 actively exploited?

No confirmed active exploitation of CVE-2021-37685 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37685?

1. Upgrade to TensorFlow 2.6.0 or apply backport patches to TF 2.5.1, 2.4.3, or 2.3.4 (commit d94ffe08a65400f898241c0374e9edc6fa8ed257). 2. Audit all TFLite model sources — implement allowlisting and cryptographic verification of .tflite files before execution. 3. Run TFLite inference in sandboxed, least-privilege processes to limit blast radius of any memory disclosure. 4. Enable memory-safety tooling (ASAN/MSAN) in CI/CD pipelines to catch similar OOB issues before production. 5. Monitor for anomalous model loading from untrusted or unexpected sources in ML serving logs.

What systems are affected by CVE-2021-37685?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, edge/IoT AI deployments, mobile ML inference.

What is the CVSS score for CVE-2021-37685?

CVE-2021-37685 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TFLite's [`expand_dims.cc`](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/expand_dims.cc#L36-L50) contains a vulnerability which allows reading one element outside of bounds of heap allocated data. If `axis` is a large negative value (e.g., `-100000`), then after the first `if` it would still be negative. The check following the `if` statement will pass and the `for` loop would read one element before the start of `input_dims.data` (when `i = 0`). We have patched the issue in GitHub commit d94ffe08a65400f898241c0374e9edc6fa8ed257. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with local access to a system running a vulnerable TFLite inference service crafts a malicious .tflite model in which the expand_dims operator is configured with a large negative axis value (e.g., -100000). When the model is loaded and executed for inference, the unvalidated axis value bypasses the bounds check — the first conditional leaves it negative, the subsequent check passes incorrectly, and the for loop reads one element before the start of the heap-allocated input_dims buffer. This leaks a memory value from the preceding heap chunk, potentially exposing sensitive runtime data. In a shared ML serving environment where multiple tenants submit models for inference, this becomes a cross-tenant information disclosure primitive.