CVE-2021-37692 — MEDIUM (CVSS 5.5) AI Security Vulnerability

Q: Is CVE-2021-37692 actively exploited?

No confirmed active exploitation of CVE-2021-37692 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2021-37692?

1. Patch: upgrade tensorflow, tensorflow-cpu, or tensorflow-gpu to 2.5.1 (cherry-pick backport) or 2.6.0+. 2. Audit Go codepaths: identify any string tensor construction sites where dimensions are derived from external or user-controlled input. 3. Add input validation: enforce dimension consistency checks before calling NewTensor in Go code. 4. Add process supervision: systemd RestartAlways or Kubernetes restartPolicy=Always to auto-recover crashed TF Go processes. 5. Detection: alert on unexpected exits of TF worker processes (exit code SIGSEGV / signal 11).

Q: What systems are affected by CVE-2021-37692?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing.

Q: What is the CVSS score for CVE-2021-37692?

CVE-2021-37692 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.03%.

CISO Take

TensorFlow's Go bindings crash via segfault when garbage collection fires on a string tensor whose encoding failed due to mismatched dimensions. Attack vector is local with low privileges—no remote exposure, no data loss. Patch to TensorFlow 2.5.1 or 2.6.0 immediately if running Go-based TF code; validate tensor dimensions before encoding in any custom Go TF operators.

Risk Assessment

Low-to-medium operational risk. The AV:L/PR:L CVSS vector tightly constrains exposure—exploitation requires local code execution in the TF process context. EPSS of 0.00032 reflects no meaningful exploitation activity observed in the wild. Impact is confined to availability (process crash); confidentiality and integrity are not affected. Risk increases in shared or multi-tenant ML compute environments where Go-based TF code processes user-controlled tensor shapes.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
tensorflow	pip	>= 2.5.0rc0, < 2.5.1	`2.5.1`
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
tensorflow-cpu	pip	>= 2.5.0rc0, < 2.5.1	`2.5.1`
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
tensorflow-gpu	pip	>= 2.5.0rc0, < 2.5.1	`2.5.1`
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade tensorflow, tensorflow-cpu, or tensorflow-gpu to 2.5.1 (cherry-pick backport) or 2.6.0+.
Audit Go codepaths: identify any string tensor construction sites where dimensions are derived from external or user-controlled input.
Add input validation: enforce dimension consistency checks before calling NewTensor in Go code.
Add process supervision: systemd RestartAlways or Kubernetes restartPolicy=Always to auto-recover crashed TF Go processes.
Detection: alert on unexpected exits of TF worker processes (exit code SIGSEGV / signal 11).

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system vulnerability management

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM04:2023 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-37692?

TensorFlow's Go bindings crash via segfault when garbage collection fires on a string tensor whose encoding failed due to mismatched dimensions. Attack vector is local with low privileges—no remote exposure, no data loss. Patch to TensorFlow 2.5.1 or 2.6.0 immediately if running Go-based TF code; validate tensor dimensions before encoding in any custom Go TF operators.

Is CVE-2021-37692 actively exploited?

No confirmed active exploitation of CVE-2021-37692 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-37692?

1. Patch: upgrade tensorflow, tensorflow-cpu, or tensorflow-gpu to 2.5.1 (cherry-pick backport) or 2.6.0+. 2. Audit Go codepaths: identify any string tensor construction sites where dimensions are derived from external or user-controlled input. 3. Add input validation: enforce dimension consistency checks before calling NewTensor in Go code. 4. Add process supervision: systemd RestartAlways or Kubernetes restartPolicy=Always to auto-recover crashed TF Go processes. 5. Detection: alert on unexpected exits of TF worker processes (exit code SIGSEGV / signal 11).

What systems are affected by CVE-2021-37692?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing.

What is the CVSS score for CVE-2021-37692?

CVE-2021-37692 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions under certain conditions, Go code can trigger a segfault in string deallocation. For string tensors, `C.TF_TString_Dealloc` is called during garbage collection within a finalizer function. However, tensor structure isn't checked until encoding to avoid a performance penalty. The current method for dealloc assumes that encoding succeeded, but segfaults when a string tensor is garbage collected whose encoding failed (e.g., due to mismatched dimensions). To fix this, the call to set the finalizer function is deferred until `NewTensor` returns and, if encoding failed for a string tensor, deallocs are determined based on bytes written. We have patched the issue in GitHub commit 8721ba96e5760c229217b594f6d2ba332beedf22. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, which is the other affected version.

Exploitation Scenario

An attacker with local code execution in a shared ML training cluster submits a job that constructs a TensorFlow string tensor with intentionally mismatched dimensions via the Go binding. The tensor encoding fails at construction time, but no exception is raised. When Go's garbage collector runs and invokes the finalizer, C.TF_TString_Dealloc dereferences the malformed structure, triggering a segfault that crashes the entire TF process. In a multi-tenant GPU cluster, this disrupts co-located training jobs and burns expensive compute time, effectively functioning as a targeted denial-of-service against competing workloads.