AI Threat Alert

CVE-2021-29515: TensorFlow: NULL ptr deref in MatrixDiag ops (crash/RCE)

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

Any TensorFlow deployment on versions 2.1.x through 2.4.1 running MatrixDiag* operations is vulnerable to a NULL pointer dereference triggered by empty tensor input — resulting in crash or potential code execution with the process's privileges. Patch immediately to TF 2.5.0 or apply the backported fixes (2.4.2, 2.3.3, 2.2.3, 2.1.4). Shared inference endpoints and multi-tenant ML platforms (Jupyter, Kubeflow) are highest priority since a low-privileged local user can trigger the crash.

What is the risk?

CVSS 7.8 with local vector reduces exposure for isolated deployments, but the bar for exploitation is trivially low — crafting an empty tensor requires no AI/ML expertise. In shared training clusters, CI/CD pipelines processing user-submitted models, or TF Serving endpoints that accept tensor input from external sources, this effectively becomes a remotely-triggerable DoS or potential privilege escalation. Not in CISA KEV and no confirmed active exploitation as of disclosure, but the patch was emergency-backported to four maintained branches, signaling PSIRT treated it as high-priority.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 4d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to TF 2.5.0 or apply cherrypicks to 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4. Commit a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 is the fix.

  2. DETECT

    Grep production code for MatrixDiag, MatrixDiagV2, MatrixDiagV3 op usage — prioritize those accepting external input.

  3. WORKAROUND (if patch is delayed): Add input validation to assert tensor arguments are non-empty before calling any MatrixDiag* op.

  4. HARDEN

    Run TF Serving with minimal OS privileges (non-root, seccomp, read-only filesystem).

  5. MONITOR

    Alert on unexpected TF process crashes (SIGSEGV) in serving infrastructure.

How is it classified?

Code Execution DoS Supply Chain Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI systems
ISO 42001
A.9.2 - AI system supply chain management
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to inventory and manage known vulnerabilities in AI systems
OWASP LLM Top 10
LLM04:2023 - Model Denial of Service LLM05:2023 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29515?

Any TensorFlow deployment on versions 2.1.x through 2.4.1 running MatrixDiag* operations is vulnerable to a NULL pointer dereference triggered by empty tensor input — resulting in crash or potential code execution with the process's privileges. Patch immediately to TF 2.5.0 or apply the backported fixes (2.4.2, 2.3.3, 2.2.3, 2.1.4). Shared inference endpoints and multi-tenant ML platforms (Jupyter, Kubeflow) are highest priority since a low-privileged local user can trigger the crash.

Is CVE-2021-29515 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29515, increasing the risk of exploitation.

How to fix CVE-2021-29515?

1. PATCH: Upgrade to TF 2.5.0 or apply cherrypicks to 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4. Commit a7116dd3913c4a4afd2a3a938573aa7c785fdfc6 is the fix. 2. DETECT: Grep production code for MatrixDiag, MatrixDiagV2, MatrixDiagV3 op usage — prioritize those accepting external input. 3. WORKAROUND (if patch is delayed): Add input validation to assert tensor arguments are non-empty before calling any MatrixDiag* op. 4. HARDEN: Run TF Serving with minimal OS privileges (non-root, seccomp, read-only filesystem). 5. MONITOR: Alert on unexpected TF process crashes (SIGSEGV) in serving infrastructure.

What systems are affected by CVE-2021-29515?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML notebooks, batch inference.

What is the CVSS score for CVE-2021-29515?

CVE-2021-29515 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingML notebooksbatch inference

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.9.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM04:2023, LLM05:2023

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. The implementation of `MatrixDiag*` operations(https://github.com/tensorflow/tensorflow/blob/4c4f420e68f1cfaf8f4b6e8e3eb857e9e4c3ff33/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L195-L197) does not validate that the tensor arguments are non-empty. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with local access to a shared ML training cluster (e.g., a data scientist account on a Kubeflow environment) submits a crafted training job or model evaluation script that calls tf.linalg.diag() with an empty tensor (tf.constant([])). The missing validation in matrix_diag_op.cc causes a NULL pointer dereference, crashing the TF worker process. In a more targeted scenario against a TF Serving endpoint that exposes a model with a MatrixDiag op in its graph, an adversary sends a gRPC inference request with an empty tensor for the relevant input — triggering the crash remotely and potentially cycling the serving pod in a DoS loop or probing for memory corruption exploitation.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed