CVE-2021-37639: TensorFlow is an end-to-end open source platform for machine learning. When restoring tensors via raw APIs, if the tenso
Summary
TensorFlow, a machine learning platform, has a vulnerability where attackers can crash the program or read memory they shouldn't access by providing incomplete or missing tensor names when restoring data. The bug happens because the code doesn't check if there are enough items in a list before trying to access them, leading to either a null pointer dereference (a crash from accessing invalid memory) or an out-of-bounds read (accessing memory outside the intended storage area).
Solution / Mitigation
The issue was patched in GitHub commit 9e82dce6e6bd1f36a57e08fa85af213e2b2f2622. The fix is included in TensorFlow 2.6.0 and was also backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
Vulnerability Details
8.4(high)
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-37639
First tracked: February 15, 2026 at 08:39 PM
Classified by LLM (prompt v3) · confidence: 95%