AI Threat Alert
CVE-2021-37687: TFLite: heap OOB read via negative indices in GatherNd
MEDIUMTensorFlow Lite's GatherNd and Gather kernels lack bounds checking for negative indices, allowing an attacker to read arbitrary heap memory by supplying a crafted model. The primary risk surface is any inference pipeline that loads externally sourced or user-supplied TFLite models—patch to TF 2.6.0 (or 2.5.1/2.4.3/2.3.4 with cherry-picks) and enforce cryptographic model provenance verification before deployment. Multi-tenant inference platforms are especially exposed due to potential cross-tenant memory leakage.
What is the risk?
Medium severity by CVSS, but operationally elevated for organizations running TFLite inference with untrusted model inputs. Exploitation requires local access and ability to supply a crafted model file—low complexity once delivery is achieved. The confidentiality impact is rated HIGH, as arbitrary heap reads can expose inference request payloads, co-resident process secrets, or proprietary model weights. No integrity or availability impact. Not in CISA KEV and not observed exploited in the wild as of disclosure, but the attack is straightforward for anyone with ML framework knowledge.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
Do you use TensorFlow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch immediately: upgrade to TensorFlow 2.6.0, or apply the cherry-picked commits (bb6a0383, eb921122) to 2.5.1, 2.4.3, or 2.3.4.
-
Enforce model provenance: require cryptographic signatures on all TFLite models before loading; reject models from unverified sources.
-
Pre-load validation: scan model files for negative index values in GatherNd/Gather operation parameters as a defense-in-depth layer.
-
Process isolation: run TFLite inference in sandboxed processes with minimal privileges to limit heap read blast radius.
-
For multi-tenant platforms: treat user-supplied models as untrusted input and audit all model loading code paths for missing bounds checks across the framework version in use.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2021-37687?
TensorFlow Lite's GatherNd and Gather kernels lack bounds checking for negative indices, allowing an attacker to read arbitrary heap memory by supplying a crafted model. The primary risk surface is any inference pipeline that loads externally sourced or user-supplied TFLite models—patch to TF 2.6.0 (or 2.5.1/2.4.3/2.3.4 with cherry-picks) and enforce cryptographic model provenance verification before deployment. Multi-tenant inference platforms are especially exposed due to potential cross-tenant memory leakage.
Is CVE-2021-37687 actively exploited?
No confirmed active exploitation of CVE-2021-37687 has been reported, but organizations should still patch proactively.
How to fix CVE-2021-37687?
1. Patch immediately: upgrade to TensorFlow 2.6.0, or apply the cherry-picked commits (bb6a0383, eb921122) to 2.5.1, 2.4.3, or 2.3.4. 2. Enforce model provenance: require cryptographic signatures on all TFLite models before loading; reject models from unverified sources. 3. Pre-load validation: scan model files for negative index values in GatherNd/Gather operation parameters as a defense-in-depth layer. 4. Process isolation: run TFLite inference in sandboxed processes with minimal privileges to limit heap read blast radius. 5. For multi-tenant platforms: treat user-supplied models as untrusted input and audit all model loading code paths for missing bounds checks across the framework version in use.
What systems are affected by CVE-2021-37687?
This vulnerability affects the following AI/ML architecture patterns: model serving, edge inference, training pipelines, mobile AI runtimes.
What is the CVSS score for CVE-2021-37687?
CVE-2021-37687 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.19%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0025 Exfiltration via Cyber Means AML.T0035 AI Artifact Collection Compliance Controls Affected
What are the technical details?
Original Advisory
TensorFlow is an end-to-end open source platform for machine learning. In affected versions TFLite's [`GatherNd` implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/gather_nd.cc#L124) does not support negative indices but there are no checks for this situation. Hence, an attacker can read arbitrary data from the heap by carefully crafting a model with negative values in `indices`. Similar issue exists in [`Gather` implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/gather.cc). We have patched the issue in GitHub commits bb6a0383ed553c286f87ca88c207f6774d5c4a8f and eb921122119a6b6e470ee98b89e65d721663179d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Exploitation Scenario
An attacker targeting a server-side TFLite inference API or a mobile application crafts a malicious .tflite model file with negative values in the indices parameter of a GatherNd or Gather op. They upload the model to a shared model repository, submit it via a model-upload API endpoint, or distribute it through a compromised dataset pipeline. When the target runtime loads and executes inference on the model, the TFLite kernel reads beyond the intended tensor buffer into adjacent heap memory. The out-of-bounds data is returned as part of the inference output or recoverable via side channel, potentially exposing other users' inference inputs on a multi-tenant platform, API keys resident in process memory, or weights from co-loaded proprietary models.
Weaknesses (CWE)
CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] Use a language that provides appropriate memory abstractions.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow