{"id":"CVE-2021-37687","details":"TensorFlow is an end-to-end open source platform for machine learning. In affected versions TFLite's [`GatherNd` implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/gather_nd.cc#L124) does not support negative indices but there are no checks for this situation. Hence, an attacker can read arbitrary data from the heap by carefully crafting a model with negative values in `indices`. Similar issue exists in [`Gather` implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/gather.cc). We have patched the issue in GitHub commits bb6a0383ed553c286f87ca88c207f6774d5c4a8f and eb921122119a6b6e470ee98b89e65d721663179d. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.","aliases":["BIT-tensorflow-2021-37687","GHSA-jwf9-w5xm-f437","PYSEC-2021-309","PYSEC-2021-600","PYSEC-2021-798"],"modified":"2026-04-11T16:26:24.010738Z","published":"2021-08-12T23:15:08.773Z","related":["GHSA-jwf9-w5xm-f437","openSUSE-SU-2022:10014-1","openSUSE-SU-2024:12116-1"],"references":[{"type":"ADVISORY","url":"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jwf9-w5xm-f437"},{"type":"ADVISORY","url":"https://github.com/tensorflow/tensorflow/commit/eb921122119a6b6e470ee98b89e65d721663179d"},{"type":"FIX","url":"https://github.com/tensorflow/tensorflow/commit/bb6a0383ed553c286f87ca88c207f6774d5c4a8f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tensorflow/tensorflow","events":[{"introduced":"b36436b087bd8e8701ef51718179037cccdfc26e"},{"fixed":"7462dcaae1e8cfe1dfd0c62dd6083f9749a9d827"},{"introduced":"582c8d236cb079023657287c318ff26adb239002"},{"fixed":"4c0b84bf2a714bcdd18da1f1f94d533d72399d52"},{"introduced":"0"},{"last_affected":"a4dfb8d1a71385bd6d122e4f27f86dcebb96712d"},{"introduced":"0"},{"last_affected":"a5317d67e6ce6e93de18011bfdcdd4ff7aa894cf"},{"introduced":"0"},{"last_affected":"79f2d3a179ac6ea6b4c3d07b6849afad4e8730cd"},{"introduced":"0"},{"last_affected":"5368d50428b30b7c9ccd038aec65d09252d16596"},{"fixed":"bb6a0383ed553c286f87ca88c207f6774d5c4a8f"},{"fixed":"eb921122119a6b6e470ee98b89e65d721663179d"}],"database_specific":{"versions":[{"introduced":"2.3.0"},{"fixed":"2.3.4"},{"introduced":"2.4.0"},{"fixed":"2.4.3"},{"introduced":"0"},{"last_affected":"2.5.0"},{"introduced":"0"},{"last_affected":"2.6.0-rc0"},{"introduced":"0"},{"last_affected":"2.6.0-rc1"},{"introduced":"0"},{"last_affected":"2.6.0-rc2"}]}}],"versions":["0.5.0","0.6.0","v1.1.0-rc1","v1.1.0-rc2","v1.12.1","v1.6.0-rc1","v1.9.0-rc2","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.4.0","v2.4.1","v2.4.2","v2.5.0","v2.5.0-rc0","v2.5.0-rc1","v2.5.0-rc2","v2.5.0-rc3","v2.6.0-rc0","v2.6.0-rc1","v2.6.0-rc2"],"database_specific":{"vanir_signatures_modified":"2026-04-11T16:26:24Z","vanir_signatures":[{"signature_type":"Function","target":{"file":"tensorflow/lite/kernels/gather.cc","function":"Eval"},"source":"https://github.com/tensorflow/tensorflow/commit/eb921122119a6b6e470ee98b89e65d721663179d","digest":{"function_hash":"54823632520000742791476846105667347132","length":2310},"signature_version":"v1","id":"CVE-2021-37687-08c65076","deprecated":false},{"signature_type":"Line","target":{"file":"tensorflow/lite/kernels/gather_nd.cc"},"source":"https://github.com/tensorflow/tensorflow/commit/bb6a0383ed553c286f87ca88c207f6774d5c4a8f","digest":{"threshold":0.9,"line_hashes":["219895334753460464604426043766693885156","318138816920326330628389708342889864702","172549970116235642071825433760502621587","11745410726401002184616753994438271655"]},"signature_version":"v1","id":"CVE-2021-37687-16d6e2ac","deprecated":false},{"signature_type":"Function","target":{"file":"tensorflow/lite/kernels/gather.cc","function":"GatherStrings"},"source":"https://github.com/tensorflow/tensorflow/commit/eb921122119a6b6e470ee98b89e65d721663179d","digest":{"function_hash":"58287300432856731515810022849837485247","length":540},"signature_version":"v1","id":"CVE-2021-37687-1db4a600","deprecated":false},{"signature_type":"Function","target":{"file":"tensorflow/lite/kernels/gather_nd.cc","function":"EvalGatherNd"},"source":"https://github.com/tensorflow/tensorflow/commit/bb6a0383ed553c286f87ca88c207f6774d5c4a8f","digest":{"function_hash":"90624502493514286480861921367087836848","length":907},"signature_version":"v1","id":"CVE-2021-37687-283ec6e9","deprecated":false},{"signature_type":"Function","target":{"file":"tensorflow/lite/kernels/gather.cc","function":"Gather"},"source":"https://github.com/tensorflow/tensorflow/commit/eb921122119a6b6e470ee98b89e65d721663179d","digest":{"function_hash":"72094506469869949494076202646206794057","length":466},"signature_version":"v1","id":"CVE-2021-37687-4ea77313","deprecated":false},{"signature_type":"Line","target":{"file":"tensorflow/lite/kernels/gather.cc"},"source":"https://github.com/tensorflow/tensorflow/commit/eb921122119a6b6e470ee98b89e65d721663179d","digest":{"threshold":0.9,"line_hashes":["55441287813791419632741267893137648515","176741494032555896787465940188888982805","130716016608291075674983279986058735930","21872995040260778173027114917350657432","91155851677973055556014122403799358473","209863128153303537177795957235623969837","79153212057790819471764163367449615392","82163637664755071708927089459440253929","322258692400987668558373096853498976787","285501083557778905430307481094025559643","296636767536887869109415631223492136620","232401806761000658924132392236874537252","103128246063469219303237224618276627064","64720595496547577082434994357091056032","195552221946756637795117955104275806565","296650804069556538354830768597370903445","118745500739076576319750865262363443886","159621768382538900784648610267996500864","200502005533218656206920235468924352809","144190238721168201985761941119047888981","155046380586264355435237638695408622032","152576515752177584895491347506682855550","113370393526753158104847179959239683199","317201354719349466209962917331406414107","240395513066364510678243384594817120852","61640333293928140035390982090135303408","183352026903822466990408765383041004455","120060699296718237412009782312392161902","11170496225951582419078765421850142841","69397055859331328411648319928466905089","245203092878579871470514779263785524578","306499462394866958097532104137557455669","189285178695422282985138753856051610714","259467842264100098224521267785979127122","163133765155422050990834799685983372538","52972275894337980484426348403882390823","203765330786669184462629070002533818034","41201730592089806176136473800473945682","60389507233366557238399534476561406093","174120498689317770881781400337782525822","250000315248100988958374041501477645869","228963187918585274495948351232405964342"]},"signature_version":"v1","id":"CVE-2021-37687-bedd6a9d","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-37687.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}