CVE-2021-37685: TensorFlow OOB read leaks heap

CISO Take

A low-privilege local attacker can trigger a heap out-of-bounds read in TFLite's expand_dims kernel by passing a large negative axis value, potentially leaking heap memory contents including model data or process secrets. Patch immediately to TF 2.6.0 or apply backports to 2.5.1/2.4.3/2.3.4. Risk is highest in shared ML infrastructure or edge deployments that execute untrusted TFLite models.

What is the risk?

Medium risk (CVSS 5.5). Local attack vector limits broad exposure, but low attack complexity and no user interaction required means exploitation is straightforward once local access is obtained. In multi-tenant ML training environments or model serving platforms processing user-supplied TFLite models, the confidentiality impact is material. Not in CISA KEV; no active exploitation reported. Severity is bounded by local-only vector.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Upgrade to TensorFlow 2.6.0 or apply backport patches to TF 2.5.1, 2.4.3, or 2.3.4 (commit d94ffe08a65400f898241c0374e9edc6fa8ed257).
Audit all TFLite model sources — implement allowlisting and cryptographic verification of .tflite files before execution.
Run TFLite inference in sandboxed, least-privilege processes to limit blast radius of any memory disclosure.
Enable memory-safety tooling (ASAN/MSAN) in CI/CD pipelines to catch similar OOB issues before production.
Monitor for anomalous model loading from untrusted or unexpected sources in ML serving logs.

How is it classified?

Data Extraction Privacy Violation Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security and resilience

NIST AI RMF

MANAGE-2.2 - Manage AI risks through established processes

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37685?

A low-privilege local attacker can trigger a heap out-of-bounds read in TFLite's expand_dims kernel by passing a large negative axis value, potentially leaking heap memory contents including model data or process secrets. Patch immediately to TF 2.6.0 or apply backports to 2.5.1/2.4.3/2.3.4. Risk is highest in shared ML infrastructure or edge deployments that execute untrusted TFLite models.

Is CVE-2021-37685 actively exploited?

No confirmed active exploitation of CVE-2021-37685 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37685?

1. Upgrade to TensorFlow 2.6.0 or apply backport patches to TF 2.5.1, 2.4.3, or 2.3.4 (commit d94ffe08a65400f898241c0374e9edc6fa8ed257). 2. Audit all TFLite model sources — implement allowlisting and cryptographic verification of .tflite files before execution. 3. Run TFLite inference in sandboxed, least-privilege processes to limit blast radius of any memory disclosure. 4. Enable memory-safety tooling (ASAN/MSAN) in CI/CD pipelines to catch similar OOB issues before production. 5. Monitor for anomalous model loading from untrusted or unexpected sources in ML serving logs.

What systems are affected by CVE-2021-37685?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, edge/IoT AI deployments, mobile ML inference.

What is the CVSS score for CVE-2021-37685?

CVE-2021-37685 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesedge/IoT AI deploymentsmobile ML inference

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TFLite's [`expand_dims.cc`](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/expand_dims.cc#L36-L50) contains a vulnerability which allows reading one element outside of bounds of heap allocated data. If `axis` is a large negative value (e.g., `-100000`), then after the first `if` it would still be negative. The check following the `if` statement will pass and the `for` loop would read one element before the start of `input_dims.data` (when `i = 0`). We have patched the issue in GitHub commit d94ffe08a65400f898241c0374e9edc6fa8ed257. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with local access to a system running a vulnerable TFLite inference service crafts a malicious .tflite model in which the expand_dims operator is configured with a large negative axis value (e.g., -100000). When the model is loaded and executed for inference, the unvalidated axis value bypasses the bounds check — the first conditional leaves it negative, the subsequent check passes incorrectly, and the for loop reads one element before the start of the heap-allocated input_dims buffer. This leaks a memory value from the preceding heap chunk, potentially exposing sensitive runtime data. In a shared ML serving environment where multiple tenants submit models for inference, this becomes a cross-tenant information disclosure primitive.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.