Out-of-bounds read in TensorFlow - CVE-2021-37659
Published: August 12, 2021 / Updated: May 4, 2026
Vulnerability identifier: #VU129247
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-37659
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TensorFlow
TensorFlow
Software vendor:
TensorFlow
TensorFlow
Description
The vulnerability allows a remote attacker to cause undefined behavior.
The vulnerability exists due to an out-of-bounds read in binary cwise operations in tensorflow/core/kernels/cwise_ops_common.h when processing inputs with mismatched element counts in operations that do not require broadcasting. A remote attacker can supply crafted input tensors to cause undefined behavior.
This affects binary cwise operations that assume both inputs have exactly the same number of elements, including gradients of binary cwise operations.
Remediation
Install security update from vendor's website.