CVE-2021-37687: TensorFlow is an end-to-end open source platform for machine learning. In affected versions TFLite's [`GatherNd` impleme
Summary
TensorFlow Lite (TFLite, a lightweight version of TensorFlow for mobile and embedded devices) has a vulnerability in its `GatherNd` and `Gather` operations that fail to check for negative indices. An attacker can exploit this by creating a specially designed model with negative values to read sensitive data from the heap (temporary memory storage), potentially exposing private information.
Solution / Mitigation
The issue was patched in GitHub commits bb6a0383ed553c286f87ca88c207f6774d5c4a8f and eb921122119a6b6e470ee98b89e65d721663179d. The fix is included in TensorFlow 2.6.0 and will be backported to TensorFlow 2.5.1, 2.4.3, and 2.3.4.
Vulnerability Details
5.5(medium)
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-37687
First tracked: February 15, 2026 at 08:40 PM
Classified by LLM (prompt v3) · confidence: 95%