AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2021-37692: TensorFlow is an end-to-end open source platform for machine learning. In affected versions under certain conditions, Go

mediumvulnerability

security

Source: NVD/CVE DatabaseAugust 12, 2021CVE-2021-37692

Summary

TensorFlow (an open source machine learning platform) had a bug where Go code could crash the program during memory cleanup of string tensors if encoding failed. The problem occurred because the cleanup process assumed encoding always succeeded, but didn't check whether it actually did.

Solution / Mitigation

The fix defers calling the finalizer function (the cleanup code) until after the tensor is fully created, and changes how memory is deallocated for string tensors to be based on bytes actually written rather than assuming encoding succeeded. This was patched in GitHub commit 8721ba96e5760c229217b594f6d2ba332beedf22 and will be included in TensorFlow 2.6.0 and will be backported to TensorFlow 2.5.1.

Vulnerability Details

CVSS Score

5.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Impact (CIA+S)

availability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-20

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-37692

First tracked: February 15, 2026 at 08:40 PM

Classified by LLM (prompt v3) · confidence: 92%