CVE-2021-37688 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

An attacker who can supply a malicious .tflite model file can crash any unpatched TensorFlow Lite inference process, causing denial of service. Risk is elevated in edge and IoT deployments that accept model updates from external or untrusted sources. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4; enforce model signing if TFLite is in your stack.

Risk Assessment

Medium risk overall, but contextually higher in pipelines accepting model files from untrusted sources—OTA model updates, user-supplied models, or model marketplaces. CVSS 5.5 reflects a local-only attack vector with no confidentiality or integrity impact; this is a pure availability concern. Not actively exploited and absent from CISA KEV, so urgency is moderate. The low attack complexity (no skill required once the malformed model is crafted) slightly elevates practical risk despite the medium CVSS.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch immediately: upgrade TensorFlow to 2.6.0+, or apply cherrypick commits to 2.5.1, 2.4.3, or 2.3.4.
Enforce model provenance: implement cryptographic signing (e.g., SHA-256 + asymmetric signature) for all TFLite model files; reject models from unverified sources.
Process isolation: run TFLite inference in sandboxed child processes so a crash does not cascade to the parent application or other services.
Detection: alert on repeated inference process restarts or abnormal crash rates—may indicate active exploitation of this or similar NULL dereference vulns.
Inventory: identify all services and devices running TFLite to scope patching effort, especially edge fleets.

Classification

DoS Supply Chain Framework Inference Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-37688?

An attacker who can supply a malicious .tflite model file can crash any unpatched TensorFlow Lite inference process, causing denial of service. Risk is elevated in edge and IoT deployments that accept model updates from external or untrusted sources. Patch to TF 2.6.0, 2.5.1, 2.4.3, or 2.3.4; enforce model signing if TFLite is in your stack.

Is CVE-2021-37688 actively exploited?

No confirmed active exploitation of CVE-2021-37688 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37688?

1. Patch immediately: upgrade TensorFlow to 2.6.0+, or apply cherrypick commits to 2.5.1, 2.4.3, or 2.3.4. 2. Enforce model provenance: implement cryptographic signing (e.g., SHA-256 + asymmetric signature) for all TFLite model files; reject models from unverified sources. 3. Process isolation: run TFLite inference in sandboxed child processes so a crash does not cascade to the parent application or other services. 4. Detection: alert on repeated inference process restarts or abnormal crash rates—may indicate active exploitation of this or similar NULL dereference vulns. 5. Inventory: identify all services and devices running TFLite to scope patching effort, especially edge fleets.

What systems are affected by CVE-2021-37688?

This vulnerability affects the following AI/ML architecture patterns: edge inference, mobile ML deployment, model serving.

What is the CVSS score for CVE-2021-37688?

CVE-2021-37688 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/internal/optimized/optimized_ops.h#L268-L285) unconditionally dereferences a pointer. We have patched the issue in GitHub commit 15691e456c7dc9bd6be203b09765b063bf4a380c. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targets an edge AI deployment that supports OTA model updates (common in smart cameras, mobile apps, or industrial IoT). They compromise the model delivery channel—via man-in-the-middle, supply chain tampering, or a poisoned model repository—and push a specially crafted .tflite file that unconditionally dereferences a null pointer in optimized_ops.h during inference. Every inference call on the malicious model crashes the TFLite runtime. On a device with auto-restart, this creates a persistent crash loop that effectively takes down the AI component until a clean model is re-deployed or the runtime is patched, achieving sustained denial of service against AI-dependent functionality.