CVE-2021-29515 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Any TensorFlow deployment on versions 2.1.x through 2.4.1 running MatrixDiag* operations is vulnerable to a NULL pointer dereference triggered by empty tensor input — resulting in crash or potential code execution with the process's privileges. Patch immediately to TF 2.5.0 or apply the backported fixes (2.4.2, 2.3.3, 2.2.3, 2.1.4). Shared inference endpoints and multi-tenant ML platforms (Jupyter, Kubeflow) are highest priority since a low-privileged local user can trigger the crash.

Risk Assessment

CVSS 7.8 with local vector reduces exposure for isolated deployments, but the bar for exploitation is trivially low — crafting an empty tensor requires no AI/ML expertise. In shared training clusters, CI/CD pipelines processing user-submitted models, or TF Serving endpoints that accept tensor input from external sources, this effectively becomes a remotely-triggerable DoS or potential privilege escalation. Not in CISA KEV and no confirmed active exploitation as of disclosure, but the patch was emergency-backported to four maintained branches, signaling PSIRT treated it as high-priority.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade to TF 2.5.0 or apply cherrypicks to 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4. Commit a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 is the fix.
DETECT

Grep production code for MatrixDiag, MatrixDiagV2, MatrixDiagV3 op usage — prioritize those accepting external input.
WORKAROUND (if patch is delayed): Add input validation to assert tensor arguments are non-empty before calling any MatrixDiag* op.
HARDEN

Run TF Serving with minimal OS privileges (non-root, seccomp, read-only filesystem).
MONITOR

Alert on unexpected TF process crashes (SIGSEGV) in serving infrastructure.

Classification

Code Execution DoS Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

A.9.2 - AI system supply chain management

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to inventory and manage known vulnerabilities in AI systems

OWASP LLM Top 10

LLM04:2023 - Model Denial of Service LLM05:2023 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29515?

Any TensorFlow deployment on versions 2.1.x through 2.4.1 running MatrixDiag* operations is vulnerable to a NULL pointer dereference triggered by empty tensor input — resulting in crash or potential code execution with the process's privileges. Patch immediately to TF 2.5.0 or apply the backported fixes (2.4.2, 2.3.3, 2.2.3, 2.1.4). Shared inference endpoints and multi-tenant ML platforms (Jupyter, Kubeflow) are highest priority since a low-privileged local user can trigger the crash.

Is CVE-2021-29515 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29515, increasing the risk of exploitation.

How to fix CVE-2021-29515?

1. PATCH: Upgrade to TF 2.5.0 or apply cherrypicks to 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4. Commit a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 is the fix. 2. DETECT: Grep production code for MatrixDiag, MatrixDiagV2, MatrixDiagV3 op usage — prioritize those accepting external input. 3. WORKAROUND (if patch is delayed): Add input validation to assert tensor arguments are non-empty before calling any MatrixDiag* op. 4. HARDEN: Run TF Serving with minimal OS privileges (non-root, seccomp, read-only filesystem). 5. MONITOR: Alert on unexpected TF process crashes (SIGSEGV) in serving infrastructure.

What systems are affected by CVE-2021-29515?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML notebooks, batch inference.

What is the CVSS score for CVE-2021-29515?

CVE-2021-29515 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `MatrixDiag*` operations(https://github.com/tensorflow/tensorflow/blob/4c4f420e68f1cfaf8f4b6e8e3eb857e9e4c3ff33/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L195-L197) does not validate that the tensor arguments are non-empty. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with local access to a shared ML training cluster (e.g., a data scientist account on a Kubeflow environment) submits a crafted training job or model evaluation script that calls tf.linalg.diag() with an empty tensor (tf.constant([])). The missing validation in matrix_diag_op.cc causes a NULL pointer dereference, crashing the TF worker process. In a more targeted scenario against a TF Serving endpoint that exposes a model with a MatrixDiag op in its graph, an adversary sends a gRPC inference request with an empty tensor for the relevant input — triggering the crash remotely and potentially cycling the serving pod in a DoS loop or probing for memory corruption exploitation.