AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2021-37641: TensorFlow is an end-to-end open source platform for machine learning. In affected versions if the arguments to `tf.raw_

highvulnerability

security

Source: NVD/CVE DatabaseAugust 12, 2021CVE-2021-37641

Summary

TensorFlow, a machine learning platform, has a vulnerability in the `tf.raw_ops.RaggedGather` function where invalid input arguments can cause the program to read memory outside the bounds of allocated buffers (a heap buffer overflow). The bug occurs because the code reads tensor dimensions without first checking that the tensor has at least one dimension, and doesn't verify that required tensor lists aren't empty.

Solution / Mitigation

The issue was patched in GitHub commit a2b743f6017d7b97af1fe49087ae15f0ac634373. The fix is included in TensorFlow 2.6.0 and was also backported (applied to older versions) to TensorFlow 2.5.1, 2.4.3, and 2.3.4.

Vulnerability Details

CVSS Score

7.3(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrityavailability

Taxonomy References

CWE (Weakness Type)

CWE-125

CAPEC (Attack Pattern)

CAPEC-540

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-37641

First tracked: February 15, 2026 at 08:39 PM

Classified by LLM (prompt v3) · confidence: 95%