CVE-2021-29512: TensorFlow heap buffer overflow

CISO Take

A low-privileged local attacker can trigger a heap buffer overflow in TensorFlow's RaggedBincount operation by passing a malformed splits array, enabling arbitrary read/write and potential code execution. Any environment where untrusted users can submit TensorFlow operations—shared training clusters, Jupyter hubs, MLaaS platforms—is at elevated risk. Patch immediately to TensorFlow 2.5.0, 2.4.2, or 2.3.3; there are no viable workarounds short of disabling sparse tensor operations.

What is the risk?

CVSS 7.8 (High) with local attack vector and low privilege requirement makes this exploitable in multi-tenant ML environments such as shared Jupyter servers, Kubernetes-based training clusters, or any platform where users submit arbitrary TensorFlow graphs. While not remotely exploitable by default, the low attack complexity (AC:L) means exploitation is straightforward once local access exists. The combination of CWE-787 (out-of-bounds write) and CWE-120 (buffer overflow) makes this a memory corruption primitive with real RCE potential. Not in CISA KEV and from 2021, reducing urgency for fully patched environments.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade TensorFlow to >= 2.5.0 (or cherrypick releases 2.4.2 / 2.3.3). Run pip show tensorflow to verify installed version.
ISOLATE

Until patched, restrict who can submit arbitrary TensorFlow graphs—sandbox notebook environments, enforce signed model artifacts, and reject raw user-supplied compute graphs in serving infrastructure.
NETWORK CONTROLS

Do not expose TensorFlow Serving gRPC/REST endpoints directly; place behind authenticated API gateway.
DETECT

Monitor for crashes or SIGABRT/SIGSEGV in TF serving workers—heap corruption often manifests as unexpected process termination.
AUDIT

Inventory all TF versions across training, serving, and CI/CD pipelines using pip list | grep tensorflow or SBOM tooling.

How is it classified?

Code Execution Framework Training Data AML.T0001 - Search Open AI Vulnerability Analysis AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms to respond to, recover from, and communicate about AI risks MEASURE-2.6 - Technical AI risk metrics are defined and monitored

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2021-29512?

A low-privileged local attacker can trigger a heap buffer overflow in TensorFlow's RaggedBincount operation by passing a malformed splits array, enabling arbitrary read/write and potential code execution. Any environment where untrusted users can submit TensorFlow operations—shared training clusters, Jupyter hubs, MLaaS platforms—is at elevated risk. Patch immediately to TensorFlow 2.5.0, 2.4.2, or 2.3.3; there are no viable workarounds short of disabling sparse tensor operations.

Is CVE-2021-29512 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29512, increasing the risk of exploitation.

How to fix CVE-2021-29512?

1. PATCH: Upgrade TensorFlow to >= 2.5.0 (or cherrypick releases 2.4.2 / 2.3.3). Run `pip show tensorflow` to verify installed version. 2. ISOLATE: Until patched, restrict who can submit arbitrary TensorFlow graphs—sandbox notebook environments, enforce signed model artifacts, and reject raw user-supplied compute graphs in serving infrastructure. 3. NETWORK CONTROLS: Do not expose TensorFlow Serving gRPC/REST endpoints directly; place behind authenticated API gateway. 4. DETECT: Monitor for crashes or SIGABRT/SIGSEGV in TF serving workers—heap corruption often manifests as unexpected process termination. 5. AUDIT: Inventory all TF versions across training, serving, and CI/CD pipelines using `pip list | grep tensorflow` or SBOM tooling.

What systems are affected by CVE-2021-29512?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing, shared ML compute clusters, Jupyter notebook environments.

What is the CVSS score for CVE-2021-29512?

CVE-2021-29512 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.21%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingdata preprocessingshared ML compute clustersJupyter notebook environments

MITRE ATLAS Techniques

AML.T0001 Search Open AI Vulnerability Analysis

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 6.1.2, 8.4

NIST AI RMF: MANAGE-2.2, MEASURE-2.6

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. If the `splits` argument of `RaggedBincount` does not specify a valid `SparseTensor`(https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read from outside the bounds of the `splits` tensor buffer in the implementation of the `RaggedBincount` op(https://github.com/tensorflow/tensorflow/blob/8b677d79167799f71c42fd3fa074476e0295413a/tensorflow/core/kernels/bincount_op.cc#L430-L433). Before the `for` loop, `batch_idx` is set to 0. The user controls the `splits` array, making it contain only one element, 0. Thus, the code in the `while` loop would increment `batch_idx` and then try to read `splits(1)`, which is outside of bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are also affected.

Exploitation Scenario

An adversary with low-privilege access to a shared ML training cluster submits a TensorFlow job containing a RaggedBincount operation where the `splits` argument is crafted as a SparseTensor with only one element (value 0). During execution, the kernel's while loop increments `batch_idx` and attempts to read `splits(1)`, which is outside allocated buffer bounds. On a heap with controlled layout, this out-of-bounds read/write can be escalated to arbitrary code execution. In a Kubernetes-based ML platform, this could allow container escape if combined with a kernel privilege escalation, or lateral movement to steal model weights and training data from co-located workloads.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.