CVE-2021-37686 — MEDIUM (CVSS 5.5) AI Security Vulnerability

Q: Is CVE-2021-37686 actively exploited?

No confirmed active exploitation of CVE-2021-37686 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2021-37686?

1. Patch: upgrade tensorflow/tensorflow-cpu/tensorflow-gpu to 2.6.0rc2 or any stable 2.6.x/2.7+ release. 2. Verify exposure: audit CI/CD and deployment pipelines for TF 2.6.0rc0/rc1 usage — RC builds should never be in production. 3. Model provenance controls: ensure TFLite model files are loaded only from trusted, integrity-verified sources (signed models, checksum validation). 4. Resource limits: apply process-level CPU and time limits to inference workers as a defense-in-depth measure against loop-based DoS. 5. Detection: monitor inference workers for CPU pinning or unresponsiveness; alert on processes exceeding inference time thresholds.

Q: What systems are affected by CVE-2021-37686?

This vulnerability affects the following AI/ML architecture patterns: mobile/edge inference, model serving, training pipelines.

Q: What is the CVSS score for CVE-2021-37686?

CVE-2021-37686 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

CISO Take

If your org deploys TensorFlow Lite 2.6.0rc0/rc1 (pre-release builds), an attacker with the ability to supply a model file can hang the inference process indefinitely. Impact is limited to availability — no code execution, no data exfiltration. Patch to 2.6.0rc2 or stable 2.6.0+; if running stable releases, you are not affected.

Risk Assessment

Risk is LOW-MEDIUM in practice. The affected range is exclusively pre-release RC builds (2.6.0rc0, rc1), making production exposure rare. EPSS of 0.00012 confirms negligible exploitation activity. The local attack vector requires an adversary to deliver a malicious model file to a target system — not a remote, unauthenticated exploit. However, in edge/mobile AI deployments where model files are loaded from untrusted sources (app stores, user uploads, third-party model zoos), the threat surface is non-trivial.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
tensorflow	pip	>= 2.6.0rc0, < 2.6.0rc2	`2.6.0rc2`
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
tensorflow-cpu	pip	>= 2.6.0rc0, < 2.6.0rc2	`2.6.0rc2`
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
tensorflow-gpu	pip	>= 2.6.0rc0, < 2.6.0rc2	`2.6.0rc2`
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade tensorflow/tensorflow-cpu/tensorflow-gpu to 2.6.0rc2 or any stable 2.6.x/2.7+ release.
Verify exposure: audit CI/CD and deployment pipelines for TF 2.6.0rc0/rc1 usage — RC builds should never be in production.
Model provenance controls: ensure TFLite model files are loaded only from trusted, integrity-verified sources (signed models, checksum validation).
Resource limits: apply process-level CPU and time limits to inference workers as a defense-in-depth measure against loop-based DoS.
Detection: monitor inference workers for CPU pinning or unresponsiveness; alert on processes exceeding inference time thresholds.

Classification

DoS Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system robustness and availability

NIST AI RMF

MANAGE 2.4 - Residual risks from AI system components are managed MEASURE 2.5 - AI system robustness is evaluated

Frequently Asked Questions

What is CVE-2021-37686?

If your org deploys TensorFlow Lite 2.6.0rc0/rc1 (pre-release builds), an attacker with the ability to supply a model file can hang the inference process indefinitely. Impact is limited to availability — no code execution, no data exfiltration. Patch to 2.6.0rc2 or stable 2.6.0+; if running stable releases, you are not affected.

Is CVE-2021-37686 actively exploited?

No confirmed active exploitation of CVE-2021-37686 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37686?

1. Patch: upgrade tensorflow/tensorflow-cpu/tensorflow-gpu to 2.6.0rc2 or any stable 2.6.x/2.7+ release. 2. Verify exposure: audit CI/CD and deployment pipelines for TF 2.6.0rc0/rc1 usage — RC builds should never be in production. 3. Model provenance controls: ensure TFLite model files are loaded only from trusted, integrity-verified sources (signed models, checksum validation). 4. Resource limits: apply process-level CPU and time limits to inference workers as a defense-in-depth measure against loop-based DoS. 5. Detection: monitor inference workers for CPU pinning or unresponsiveness; alert on processes exceeding inference time thresholds.

What systems are affected by CVE-2021-37686?

This vulnerability affects the following AI/ML architecture patterns: mobile/edge inference, model serving, training pipelines.

What is the CVSS score for CVE-2021-37686?

CVE-2021-37686 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the strided slice implementation in TFLite has a logic bug which can allow an attacker to trigger an infinite loop. This arises from newly introduced support for [ellipsis in axis definition](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/strided_slice.cc#L103-L122). An attacker can craft a model such that `ellipsis_end_idx` is smaller than `i` (e.g., always negative). In this case, the inner loop does not increase `i` and the `continue` statement causes execution to skip over the preincrement at the end of the outer loop. We have patched the issue in GitHub commit dfa22b348b70bb89d6d6ec0ff53973bacb4f4695. TensorFlow 2.6.0 is the only affected version.

Exploitation Scenario

An adversary targeting an edge AI deployment (e.g., a mobile app or IoT device using TFLite 2.6.0rc1) crafts a malicious .tflite model file with a strided slice op configured so that `ellipsis_end_idx` is always smaller than the loop index `i`. The adversary distributes this model via a compromised model repository, a poisoned model update, or by abusing a feature that allows user-supplied models. When the device loads and runs inference on this model, the TFLite runtime enters an infinite loop, pinning a CPU core and rendering the inference process unresponsive — effectively taking down any AI-dependent functionality until the process is killed or the device reboots.