CVE-2021-37655: TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a re
Summary
TensorFlow, an open source platform for machine learning, has a vulnerability where an attacker can read data outside the bounds of allocated memory (a heap buffer overflow) by sending invalid arguments to a specific function called `tf.raw_ops.ResourceScatterUpdate`. The bug exists because the code doesn't properly validate the relationship between the shapes of two inputs called `indices` and `updates`, checking only that their element counts are divisible rather than verifying the correct dimensional relationship needed for broadcasting (automatically expanding smaller arrays to match larger ones).
Solution / Mitigation
The issue was patched in GitHub commit 01cff3f986259d661103412a20745928c727326f. The fix is included in TensorFlow 2.6.0 and will be cherrypicked to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.
Vulnerability Details
7.3(high)
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-37655
First tracked: February 15, 2026 at 08:39 PM
Classified by LLM (prompt v3) · confidence: 95%