CVE-2021-37686: TensorFlow infinite loop DoS

Q: Is CVE-2021-37686 actively exploited?

No confirmed active exploitation of CVE-2021-37686 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2021-37686?

1. Patch: upgrade tensorflow/tensorflow-cpu/tensorflow-gpu to 2.6.0rc2 or any stable 2.6.x/2.7+ release. 2. Verify exposure: audit CI/CD and deployment pipelines for TF 2.6.0rc0/rc1 usage — RC builds should never be in production. 3. Model provenance controls: ensure TFLite model files are loaded only from trusted, integrity-verified sources (signed models, checksum validation). 4. Resource limits: apply process-level CPU and time limits to inference workers as a defense-in-depth measure against loop-based DoS. 5. Detection: monitor inference workers for CPU pinning or unresponsiveness; alert on processes exceeding inference time thresholds.

Q: What systems are affected by CVE-2021-37686?

This vulnerability affects the following AI/ML architecture patterns: mobile/edge inference, model serving, training pipelines.

Q: What is the CVSS score for CVE-2021-37686?

CVE-2021-37686 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.17%.

CISO Take

If your org deploys TensorFlow Lite 2.6.0rc0/rc1 (pre-release builds), an attacker with the ability to supply a model file can hang the inference process indefinitely. Impact is limited to availability — no code execution, no data exfiltration. Patch to 2.6.0rc2 or stable 2.6.0+; if running stable releases, you are not affected.

What is the risk?

Risk is LOW-MEDIUM in practice. The affected range is exclusively pre-release RC builds (2.6.0rc0, rc1), making production exposure rare. EPSS of 0.00012 confirms negligible exploitation activity. The local attack vector requires an adversary to deliver a malicious model file to a target system — not a remote, unauthenticated exploit. However, in edge/mobile AI deployments where model files are loaded from untrusted sources (app stores, user uploads, third-party model zoos), the threat surface is non-trivial.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
TensorFlow	pip	>= 2.6.0rc0, < 2.6.0rc2	`2.6.0rc2`
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
TensorFlow	pip	>= 2.6.0rc0, < 2.6.0rc2	`2.6.0rc2`
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
TensorFlow	pip	>= 2.6.0rc0, < 2.6.0rc2	`2.6.0rc2`
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: upgrade tensorflow/tensorflow-cpu/tensorflow-gpu to 2.6.0rc2 or any stable 2.6.x/2.7+ release.
Verify exposure: audit CI/CD and deployment pipelines for TF 2.6.0rc0/rc1 usage — RC builds should never be in production.
Model provenance controls: ensure TFLite model files are loaded only from trusted, integrity-verified sources (signed models, checksum validation).
Resource limits: apply process-level CPU and time limits to inference workers as a defense-in-depth measure against loop-based DoS.
Detection: monitor inference workers for CPU pinning or unresponsiveness; alert on processes exceeding inference time thresholds.

How is it classified?

DoS Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system robustness and availability

NIST AI RMF

MANAGE 2.4 - Residual risks from AI system components are managed MEASURE 2.5 - AI system robustness is evaluated

Frequently Asked Questions

What is CVE-2021-37686?

If your org deploys TensorFlow Lite 2.6.0rc0/rc1 (pre-release builds), an attacker with the ability to supply a model file can hang the inference process indefinitely. Impact is limited to availability — no code execution, no data exfiltration. Patch to 2.6.0rc2 or stable 2.6.0+; if running stable releases, you are not affected.

Is CVE-2021-37686 actively exploited?

No confirmed active exploitation of CVE-2021-37686 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37686?

1. Patch: upgrade tensorflow/tensorflow-cpu/tensorflow-gpu to 2.6.0rc2 or any stable 2.6.x/2.7+ release. 2. Verify exposure: audit CI/CD and deployment pipelines for TF 2.6.0rc0/rc1 usage — RC builds should never be in production. 3. Model provenance controls: ensure TFLite model files are loaded only from trusted, integrity-verified sources (signed models, checksum validation). 4. Resource limits: apply process-level CPU and time limits to inference workers as a defense-in-depth measure against loop-based DoS. 5. Detection: monitor inference workers for CPU pinning or unresponsiveness; alert on processes exceeding inference time thresholds.

What systems are affected by CVE-2021-37686?

This vulnerability affects the following AI/ML architecture patterns: mobile/edge inference, model serving, training pipelines.

What is the CVSS score for CVE-2021-37686?

CVE-2021-37686 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

mobile/edge inferencemodel servingtraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0029 Denial of AI Service

AML.T0043 Craft Adversarial Data

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.4, MEASURE 2.5

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the strided slice implementation in TFLite has a logic bug which can allow an attacker to trigger an infinite loop. This arises from newly introduced support for [ellipsis in axis definition](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/strided_slice.cc#L103-L122). An attacker can craft a model such that `ellipsis_end_idx` is smaller than `i` (e.g., always negative). In this case, the inner loop does not increase `i` and the `continue` statement causes execution to skip over the preincrement at the end of the outer loop. We have patched the issue in GitHub commit dfa22b348b70bb89d6d6ec0ff53973bacb4f4695. TensorFlow 2.6.0 is the only affected version.

Exploitation Scenario

An adversary targeting an edge AI deployment (e.g., a mobile app or IoT device using TFLite 2.6.0rc1) crafts a malicious .tflite model file with a strided slice op configured so that `ellipsis_end_idx` is always smaller than the loop index `i`. The adversary distributes this model via a compromised model repository, a poisoned model update, or by abusing a feature that allows user-supplied models. When the device loads and runs inference on this model, the TFLite runtime enters an infinite loop, pinning a CPU core and rendering the inference process unresponsive — effectively taking down any AI-dependent functionality until the process is killed or the device reboots.

Weaknesses (CWE)

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Primary CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835 — Loop with Unreachable Exit Condition ('Infinite Loop'): The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Source: MITRE CWE corpus.