AI Threat Alert AI Threat Alert

CVE-2021-29519: TensorFlow SparseCross: type confusion DoS

MEDIUM PoC AVAILABLE
Published May 14, 2021
CISO Take

A type confusion bug in TensorFlow's SparseCross op lets any local low-privilege user crash TF-based workloads via a CHECK-failure abort — no data exposure, availability impact only. Patch to TF 2.5.0+ or apply the backports (2.4.2, 2.3.3, 2.2.3, 2.1.4). Priority is moderate unless you run shared ML infrastructure where untrusted users can submit training jobs or model inputs.

Risk Assessment

Medium risk in practice. Local attack vector with low-privilege requirement significantly limits exposure — a remote attacker needs a foothold first, or the vulnerable op must be reachable via a model serving endpoint processing user-supplied sparse features. No confidentiality or integrity impact (C:N/I:N/A:H). Not in CISA KEV, no evidence of active exploitation. Risk elevates meaningfully in shared GPU clusters, multi-tenant Jupyter/MLflow environments, or online feature preprocessing services that invoke SparseCross on user-controlled categorical inputs.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to TF 2.5.0+. Backports available for TF 2.4.2, 2.3.3, 2.2.3, 2.1.4 — apply the minimum backport matching your installed branch. Commit: b1cc5e5a50e7cee09f2c6eb48eb40ee9c4125025.

  2. INPUT VALIDATION

    Add explicit dtype guards before SparseCross calls — reject inputs that mix DT_STRING and DT_INT64 types at the application layer.

  3. ISOLATION

    Ensure TF Serving instances handling external inputs run in sandboxed containers with restart policies; limit blast radius of process crashes.

  4. DETECTION

    Alert on repeated TF process SIGABRT/CHECK failure signals (look for 'Check failed' in TF logs); anomalous crash patterns from the same user or endpoint warrant investigation.

  5. INVENTORY

    Audit all TF versions across ML training, serving, and preprocessing workloads — unpatched versions in containerized ML pipelines are the highest-priority targets.

Classification

DoS Framework AML.T0010.001 AML.T0029 AML.T0043.003

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.6 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29519?

A type confusion bug in TensorFlow's SparseCross op lets any local low-privilege user crash TF-based workloads via a CHECK-failure abort — no data exposure, availability impact only. Patch to TF 2.5.0+ or apply the backports (2.4.2, 2.3.3, 2.2.3, 2.1.4). Priority is moderate unless you run shared ML infrastructure where untrusted users can submit training jobs or model inputs.

Is CVE-2021-29519 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29519, increasing the risk of exploitation.

How to fix CVE-2021-29519?

1. PATCH: Upgrade to TF 2.5.0+. Backports available for TF 2.4.2, 2.3.3, 2.2.3, 2.1.4 — apply the minimum backport matching your installed branch. Commit: b1cc5e5a50e7cee09f2c6eb48eb40ee9c4125025. 2. INPUT VALIDATION: Add explicit dtype guards before SparseCross calls — reject inputs that mix DT_STRING and DT_INT64 types at the application layer. 3. ISOLATION: Ensure TF Serving instances handling external inputs run in sandboxed containers with restart policies; limit blast radius of process crashes. 4. DETECTION: Alert on repeated TF process SIGABRT/CHECK failure signals (look for 'Check failed' in TF logs); anomalous crash patterns from the same user or endpoint warrant investigation. 5. INVENTORY: Audit all TF versions across ML training, serving, and preprocessing workloads — unpatched versions in containerized ML pipelines are the highest-priority targets.

What systems are affected by CVE-2021-29519?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, feature engineering pipelines.

What is the CVSS score for CVE-2021-29519?

CVE-2021-29519 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. The API of `tf.raw_ops.SparseCross` allows combinations which would result in a `CHECK`-failure and denial of service. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/3d782b7d47b1bf2ed32bd4a246d6d6cadc4c903d/tensorflow/core/kernels/sparse_cross_op.cc#L114-L116) is tricked to consider a tensor of type `tstring` which in fact contains integral elements. Fixing the type confusion by preventing mixing `DT_STRING` and `DT_INT64` types solves this issue. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared MLOps environment — a data scientist account on a multi-tenant JupyterHub, an MLflow experiment runner, or a compromised CI/CD pipeline — writes a short Python snippet invoking tf.raw_ops.SparseCross and passes it a tstring-typed tensor populated with integer values. When the op executes, TF's internal CHECK fires and aborts the process. In a co-located GPU cluster, this terminates other users' training runs. A more impactful scenario: an online serving endpoint preprocessing user-supplied sparse categorical features (e.g., for a recommendation model) uses SparseCross in the feature pipeline. An external attacker crafts HTTP requests with malformed feature payloads containing mixed-type tensors, repeatedly crashing the serving process and causing sustained service unavailability for all users of that model.

Weaknesses (CWE)

CWE-843

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed