AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2021-37690: TensorFlow is an end-to-end open source platform for machine learning. In affected versions when running shape functions

mediumvulnerability

security

Source: NVD/CVE DatabaseAugust 13, 2021CVE-2021-37690

Summary

TensorFlow, an open-source machine learning platform, had a bug where certain shape functions created temporary data structures (ShapeAndType structs) that were deleted too quickly, causing crashes (segfaults, or sudden program failures) if other code tried to access them. The issue was that while normal output shapes were being protected by copying them to safer ownership, the code wasn't doing the same protection for shapes and types together.

Solution / Mitigation

The issue was patched in GitHub commit ee119d4a498979525046fba1c3dd3f13a039fbb1 and fixed by applying the same cloning logic to output shapes and types. The fix is included in TensorFlow 2.6.0, and was also backported (added to earlier versions) in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.

Vulnerability Details

CVSS Score

6.6(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Impact (CIA+S)

availability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-416

CAPEC (Attack Pattern)

CAPEC-233

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-37690

First tracked: February 15, 2026 at 08:40 PM

Classified by LLM (prompt v3) · confidence: 92%