CVE-2021-37638: TensorFlow is an end-to-end open source platform for machine learning. Sending invalid argument for `row_partition_types
Summary
A vulnerability in TensorFlow (a machine learning platform) allows attackers to crash the program by sending an invalid empty list to the `tf.raw_ops.RaggedTensorToTensor` function, which tries to access the first element without checking if the list is empty first, causing undefined behavior (unpredictable program actions). This is a null pointer dereference (attempting to use a memory location that contains no valid data).
Solution / Mitigation
The fix was patched in GitHub commit 301ae88b331d37a2a16159b65b255f4f9eb39314 and will be included in TensorFlow 2.6.0. The patch was also applied to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
Vulnerability Details
7.7(high)
EPSS: 0.0%
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne
CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi
Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-37638
First tracked: February 15, 2026 at 08:39 PM
Classified by LLM (prompt v3) · confidence: 95%