AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2021-37661: TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a deni

mediumvulnerability

security

Source: NVD/CVE DatabaseAugust 12, 2021CVE-2021-37661

Summary

TensorFlow, a machine learning platform, has a vulnerability where attackers can crash the system by passing negative numbers to the `boosted_trees_create_quantile_stream_resource` function. The bug happens because the code doesn't check if the input is negative before using it to allocate memory (reserve, which expects an unsigned integer, or a whole number with no sign). When a negative number gets converted to an unsigned integer, it becomes a huge positive number that causes the program to crash.

Solution / Mitigation

The issue has been patched in GitHub commit 8a84f7a2b5a2b27ecf88d25bad9ac777cd2f7992. The fix will be included in TensorFlow 2.6.0 and will also be backported (added to older versions still being supported) in TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.

Vulnerability Details

CVSS Score

5.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

DoS

Attack SophisticationTrivial

Impact (CIA+S)

availability

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-681 CWE-681

Affected Vendors

Related Issues

medium

CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

Similar attackNVD/CVE Database

low

CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p

First tracked: February 15, 2026 at 08:39 PM

Classified by LLM (prompt v3) · confidence: 95%