AI Threat Alert AI Threat Alert

CVE-2021-29520: TensorFlow: heap buffer overflow in Conv3DBackprop ops

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

Any TensorFlow deployment running versions prior to 2.5.0 (or backport releases 2.4.2, 2.3.3, 2.2.3, 2.1.4) is vulnerable to a heap buffer overflow in 3D convolution backpropagation — patch immediately. The local attack vector limits remote exploitation, but shared ML training infrastructure (multi-tenant GPU clusters, JupyterHub, MLOps platforms) is at elevated risk since a low-privileged user can trigger arbitrary code execution. If you cannot patch immediately, restrict local access to training servers and audit who can submit training jobs.

Risk Assessment

High severity in shared or multi-tenant ML environments; reduced risk in single-tenant or cloud-isolated training infrastructure. CVSS 7.8 with local/low-complexity/low-privilege profile means any authenticated user on the training host can trigger the overflow. Exploitation requires no user interaction, making it suitable for persistence or lateral movement once an adversary has foothold on an ML server. 3D convolution operations are common in video analytics, medical imaging (3D CT/MRI), and autonomous driving models — pipelines in these verticals face higher exposure.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. Patch

    Upgrade to TensorFlow 2.5.0, or apply cherrypick releases: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify with pip show tensorflow on all training hosts and ML containers.

  2. Harden access

    Enforce least-privilege on ML training infrastructure — restrict who can submit training jobs or execute arbitrary TF operations.

  3. Container isolation

    Run training jobs in isolated containers/namespaces; avoid shared GPU hosts without job-level isolation.

  4. Audit dependencies

    Scan ML Docker images and Conda environments for vulnerable TensorFlow versions using pip-audit or Trivy.

  5. Detection

    Alert on heap corruption crashes (SIGABRT, SIGSEGV) in TensorFlow training processes — these may indicate exploitation attempts.

  6. Network segmentation

    Ensure training servers are not directly internet-accessible; apply separate security zones for ML infrastructure.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 AML.T0025 AML.T0035 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art.15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.6 - AI system security A.9.3 - AI System Vulnerability Management
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE 2.4 - Residual risks and vulnerabilities are monitored and managed
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29520?

Any TensorFlow deployment running versions prior to 2.5.0 (or backport releases 2.4.2, 2.3.3, 2.2.3, 2.1.4) is vulnerable to a heap buffer overflow in 3D convolution backpropagation — patch immediately. The local attack vector limits remote exploitation, but shared ML training infrastructure (multi-tenant GPU clusters, JupyterHub, MLOps platforms) is at elevated risk since a low-privileged user can trigger arbitrary code execution. If you cannot patch immediately, restrict local access to training servers and audit who can submit training jobs.

Is CVE-2021-29520 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29520, increasing the risk of exploitation.

How to fix CVE-2021-29520?

1. **Patch**: Upgrade to TensorFlow 2.5.0, or apply cherrypick releases: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify with `pip show tensorflow` on all training hosts and ML containers. 2. **Harden access**: Enforce least-privilege on ML training infrastructure — restrict who can submit training jobs or execute arbitrary TF operations. 3. **Container isolation**: Run training jobs in isolated containers/namespaces; avoid shared GPU hosts without job-level isolation. 4. **Audit dependencies**: Scan ML Docker images and Conda environments for vulnerable TensorFlow versions using `pip-audit` or Trivy. 5. **Detection**: Alert on heap corruption crashes (SIGABRT, SIGSEGV) in TensorFlow training processes — these may indicate exploitation attempts. 6. **Network segmentation**: Ensure training servers are not directly internet-accessible; apply separate security zones for ML infrastructure.

What systems are affected by CVE-2021-29520?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, agent frameworks.

What is the CVSS score for CVE-2021-29520?

CVE-2021-29520 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. Missing validation between arguments to `tf.raw_ops.Conv3DBackprop*` operations can result in heap buffer overflows. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/4814fafb0ca6b5ab58a09411523b2193fed23fed/tensorflow/core/kernels/conv_grad_shape_utils.cc#L94-L153) assumes that the `input`, `filter_sizes` and `out_backprop` tensors have the same shape, as they are accessed in parallel. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privilege access to a shared Jupyter environment or MLOps platform (e.g., Kubeflow, MLflow tracking server with code execution) crafts a training script that calls `tf.raw_ops.Conv3DBackpropInput` with intentionally mismatched tensor shapes for `input`, `filter_sizes`, and `out_backprop`. The implementation accesses these tensors in parallel without bounds checking, triggering an out-of-bounds write on the heap. On a vulnerable host, a skilled attacker can leverage heap layout manipulation to achieve arbitrary code execution as the training process user — potentially compromising model artifacts, exfiltrating training data, or pivoting to the broader ML infrastructure. In a Kubernetes-based ML platform, this could enable container escape if combined with a kernel exploit.

Weaknesses (CWE)

CWE-787 Primary CWE-120

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed