CVE-2021-37687 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

TensorFlow Lite's GatherNd and Gather kernels lack bounds checking for negative indices, allowing an attacker to read arbitrary heap memory by supplying a crafted model. The primary risk surface is any inference pipeline that loads externally sourced or user-supplied TFLite models—patch to TF 2.6.0 (or 2.5.1/2.4.3/2.3.4 with cherry-picks) and enforce cryptographic model provenance verification before deployment. Multi-tenant inference platforms are especially exposed due to potential cross-tenant memory leakage.

Risk Assessment

Medium severity by CVSS, but operationally elevated for organizations running TFLite inference with untrusted model inputs. Exploitation requires local access and ability to supply a crafted model file—low complexity once delivery is achieved. The confidentiality impact is rated HIGH, as arbitrary heap reads can expose inference request payloads, co-resident process secrets, or proprietary model weights. No integrity or availability impact. Not in CISA KEV and not observed exploited in the wild as of disclosure, but the attack is straightforward for anyone with ML framework knowledge.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 13% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

Patch immediately: upgrade to TensorFlow 2.6.0, or apply the cherry-picked commits (bb6a0383, eb921122) to 2.5.1, 2.4.3, or 2.3.4.
Enforce model provenance: require cryptographic signatures on all TFLite models before loading; reject models from unverified sources.
Pre-load validation: scan model files for negative index values in GatherNd/Gather operation parameters as a defense-in-depth layer.
Process isolation: run TFLite inference in sandboxed processes with minimal privileges to limit heap read blast radius.
For multi-tenant platforms: treat user-supplied models as untrusted input and audit all model loading code paths for missing bounds checks across the framework version in use.

Classification

Data Extraction Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1.3 - AI system security controls

NIST AI RMF

MANAGE 2.4 - Residual risks are monitored and managed

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2021-37687?

TensorFlow Lite's GatherNd and Gather kernels lack bounds checking for negative indices, allowing an attacker to read arbitrary heap memory by supplying a crafted model. The primary risk surface is any inference pipeline that loads externally sourced or user-supplied TFLite models—patch to TF 2.6.0 (or 2.5.1/2.4.3/2.3.4 with cherry-picks) and enforce cryptographic model provenance verification before deployment. Multi-tenant inference platforms are especially exposed due to potential cross-tenant memory leakage.

Is CVE-2021-37687 actively exploited?

No confirmed active exploitation of CVE-2021-37687 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37687?

1. Patch immediately: upgrade to TensorFlow 2.6.0, or apply the cherry-picked commits (bb6a0383, eb921122) to 2.5.1, 2.4.3, or 2.3.4. 2. Enforce model provenance: require cryptographic signatures on all TFLite models before loading; reject models from unverified sources. 3. Pre-load validation: scan model files for negative index values in GatherNd/Gather operation parameters as a defense-in-depth layer. 4. Process isolation: run TFLite inference in sandboxed processes with minimal privileges to limit heap read blast radius. 5. For multi-tenant platforms: treat user-supplied models as untrusted input and audit all model loading code paths for missing bounds checks across the framework version in use.

What systems are affected by CVE-2021-37687?

This vulnerability affects the following AI/ML architecture patterns: model serving, edge inference, training pipelines, mobile AI runtimes.

What is the CVSS score for CVE-2021-37687?

CVE-2021-37687 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TFLite's [`GatherNd` implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/gather_nd.cc#L124) does not support negative indices but there are no checks for this situation. Hence, an attacker can read arbitrary data from the heap by carefully crafting a model with negative values in `indices`. Similar issue exists in [`Gather` implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/gather.cc). We have patched the issue in GitHub commits bb6a0383ed553c286f87ca88c207f6774d5c4a8f and eb921122119a6b6e470ee98b89e65d721663179d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker targeting a server-side TFLite inference API or a mobile application crafts a malicious .tflite model file with negative values in the indices parameter of a GatherNd or Gather op. They upload the model to a shared model repository, submit it via a model-upload API endpoint, or distribute it through a compromised dataset pipeline. When the target runtime loads and executes inference on the model, the TFLite kernel reads beyond the intended tensor buffer into adjacent heap memory. The out-of-bounds data is returned as part of the inference output or recoverable via side channel, potentially exposing other users' inference inputs on a multi-tenant platform, API keys resident in process memory, or weights from co-loaded proprietary models.