AI Threat Alert AI Threat Alert

CVE-2021-29512: TensorFlow: heap buffer overflow in RaggedBincount op

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

A low-privileged local attacker can trigger a heap buffer overflow in TensorFlow's RaggedBincount operation by passing a malformed splits array, enabling arbitrary read/write and potential code execution. Any environment where untrusted users can submit TensorFlow operations—shared training clusters, Jupyter hubs, MLaaS platforms—is at elevated risk. Patch immediately to TensorFlow 2.5.0, 2.4.2, or 2.3.3; there are no viable workarounds short of disabling sparse tensor operations.

Risk Assessment

CVSS 7.8 (High) with local attack vector and low privilege requirement makes this exploitable in multi-tenant ML environments such as shared Jupyter servers, Kubernetes-based training clusters, or any platform where users submit arbitrary TensorFlow graphs. While not remotely exploitable by default, the low attack complexity (AC:L) means exploitation is straightforward once local access exists. The combination of CWE-787 (out-of-bounds write) and CWE-120 (buffer overflow) makes this a memory corruption primitive with real RCE potential. Not in CISA KEV and from 2021, reducing urgency for fully patched environments.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade TensorFlow to >= 2.5.0 (or cherrypick releases 2.4.2 / 2.3.3). Run pip show tensorflow to verify installed version.

  2. ISOLATE

    Until patched, restrict who can submit arbitrary TensorFlow graphs—sandbox notebook environments, enforce signed model artifacts, and reject raw user-supplied compute graphs in serving infrastructure.

  3. NETWORK CONTROLS

    Do not expose TensorFlow Serving gRPC/REST endpoints directly; place behind authenticated API gateway.

  4. DETECT

    Monitor for crashes or SIGABRT/SIGSEGV in TF serving workers—heap corruption often manifests as unexpected process termination.

  5. AUDIT

    Inventory all TF versions across training, serving, and CI/CD pipelines using pip list | grep tensorflow or SBOM tooling.

Classification

Code Execution Framework Training Data AML.T0001 AML.T0010.001 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring
NIST AI RMF
MANAGE-2.2 - Mechanisms to respond to, recover from, and communicate about AI risks MEASURE-2.6 - Technical AI risk metrics are defined and monitored
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2021-29512?

A low-privileged local attacker can trigger a heap buffer overflow in TensorFlow's RaggedBincount operation by passing a malformed splits array, enabling arbitrary read/write and potential code execution. Any environment where untrusted users can submit TensorFlow operations—shared training clusters, Jupyter hubs, MLaaS platforms—is at elevated risk. Patch immediately to TensorFlow 2.5.0, 2.4.2, or 2.3.3; there are no viable workarounds short of disabling sparse tensor operations.

Is CVE-2021-29512 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29512, increasing the risk of exploitation.

How to fix CVE-2021-29512?

1. PATCH: Upgrade TensorFlow to >= 2.5.0 (or cherrypick releases 2.4.2 / 2.3.3). Run `pip show tensorflow` to verify installed version. 2. ISOLATE: Until patched, restrict who can submit arbitrary TensorFlow graphs—sandbox notebook environments, enforce signed model artifacts, and reject raw user-supplied compute graphs in serving infrastructure. 3. NETWORK CONTROLS: Do not expose TensorFlow Serving gRPC/REST endpoints directly; place behind authenticated API gateway. 4. DETECT: Monitor for crashes or SIGABRT/SIGSEGV in TF serving workers—heap corruption often manifests as unexpected process termination. 5. AUDIT: Inventory all TF versions across training, serving, and CI/CD pipelines using `pip list | grep tensorflow` or SBOM tooling.

What systems are affected by CVE-2021-29512?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing, shared ML compute clusters, Jupyter notebook environments.

What is the CVSS score for CVE-2021-29512?

CVE-2021-29512 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. If the `splits` argument of `RaggedBincount` does not specify a valid `SparseTensor`(https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read from outside the bounds of the `splits` tensor buffer in the implementation of the `RaggedBincount` op(https://github.com/tensorflow/tensorflow/blob/8b677d79167799f71c42fd3fa074476e0295413a/tensorflow/core/kernels/bincount_op.cc#L430-L433). Before the `for` loop, `batch_idx` is set to 0. The user controls the `splits` array, making it contain only one element, 0. Thus, the code in the `while` loop would increment `batch_idx` and then try to read `splits(1)`, which is outside of bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are also affected.

Exploitation Scenario

An adversary with low-privilege access to a shared ML training cluster submits a TensorFlow job containing a RaggedBincount operation where the `splits` argument is crafted as a SparseTensor with only one element (value 0). During execution, the kernel's while loop increments `batch_idx` and attempts to read `splits(1)`, which is outside allocated buffer bounds. On a heap with controlled layout, this out-of-bounds read/write can be escalated to arbitrary code execution. In a Kubernetes-based ML platform, this could allow container escape if combined with a kernel privilege escalation, or lateral movement to steal model weights and training data from co-located workloads.

Weaknesses (CWE)

CWE-787 Primary CWE-120

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed