Out-of-bounds read in TensorFlow - CVE-2021-37679
Published: August 12, 2021 / Updated: May 3, 2026
Vulnerability identifier: #VU129224
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-37679
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TensorFlow
TensorFlow
Software vendor:
TensorFlow
TensorFlow
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the conversion from a Variant tensor to a RaggedTensor when processing nested tf.map_fn calls with RaggedTensor input and no function signature. A remote attacker can supply crafted RaggedTensor input to disclose sensitive information.
The issue can occur because the implementation does not check that all inner shapes match.
Remediation
Install security update from vendor's website.