AI Threat Alert

CVE-2021-29520: TensorFlow: heap buffer overflow in Conv3DBackprop ops

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

Any TensorFlow deployment running versions prior to 2.5.0 (or backport releases 2.4.2, 2.3.3, 2.2.3, 2.1.4) is vulnerable to a heap buffer overflow in 3D convolution backpropagation — patch immediately. The local attack vector limits remote exploitation, but shared ML training infrastructure (multi-tenant GPU clusters, JupyterHub, MLOps platforms) is at elevated risk since a low-privileged user can trigger arbitrary code execution. If you cannot patch immediately, restrict local access to training servers and audit who can submit training jobs.

What is the risk?

High severity in shared or multi-tenant ML environments; reduced risk in single-tenant or cloud-isolated training infrastructure. CVSS 7.8 with local/low-complexity/low-privilege profile means any authenticated user on the training host can trigger the overflow. Exploitation requires no user interaction, making it suitable for persistence or lateral movement once an adversary has foothold on an ML server. 3D convolution operations are common in video analytics, medical imaging (3D CT/MRI), and autonomous driving models — pipelines in these verticals face higher exposure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 13% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch

    Upgrade to TensorFlow 2.5.0, or apply cherrypick releases: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify with pip show tensorflow on all training hosts and ML containers.

  2. Harden access

    Enforce least-privilege on ML training infrastructure — restrict who can submit training jobs or execute arbitrary TF operations.

  3. Container isolation

    Run training jobs in isolated containers/namespaces; avoid shared GPU hosts without job-level isolation.

  4. Audit dependencies

    Scan ML Docker images and Conda environments for vulnerable TensorFlow versions using pip-audit or Trivy.

  5. Detection

    Alert on heap corruption crashes (SIGABRT, SIGSEGV) in TensorFlow training processes — these may indicate exploitation attempts.

  6. Network segmentation

    Ensure training servers are not directly internet-accessible; apply separate security zones for ML infrastructure.

How is it classified?

Code Execution Supply Chain Framework Training Data AML.T0010.001 AML.T0025 AML.T0035 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art.15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.6 - AI system security A.9.3 - AI System Vulnerability Management
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE 2.4 - Residual risks and vulnerabilities are monitored and managed
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29520?

Any TensorFlow deployment running versions prior to 2.5.0 (or backport releases 2.4.2, 2.3.3, 2.2.3, 2.1.4) is vulnerable to a heap buffer overflow in 3D convolution backpropagation — patch immediately. The local attack vector limits remote exploitation, but shared ML training infrastructure (multi-tenant GPU clusters, JupyterHub, MLOps platforms) is at elevated risk since a low-privileged user can trigger arbitrary code execution. If you cannot patch immediately, restrict local access to training servers and audit who can submit training jobs.

Is CVE-2021-29520 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29520, increasing the risk of exploitation.

How to fix CVE-2021-29520?

1. **Patch**: Upgrade to TensorFlow 2.5.0, or apply cherrypick releases: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify with `pip show tensorflow` on all training hosts and ML containers. 2. **Harden access**: Enforce least-privilege on ML training infrastructure — restrict who can submit training jobs or execute arbitrary TF operations. 3. **Container isolation**: Run training jobs in isolated containers/namespaces; avoid shared GPU hosts without job-level isolation. 4. **Audit dependencies**: Scan ML Docker images and Conda environments for vulnerable TensorFlow versions using `pip-audit` or Trivy. 5. **Detection**: Alert on heap corruption crashes (SIGABRT, SIGSEGV) in TensorFlow training processes — these may indicate exploitation attempts. 6. **Network segmentation**: Ensure training servers are not directly internet-accessible; apply separate security zones for ML infrastructure.

What systems are affected by CVE-2021-29520?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, agent frameworks.

What is the CVSS score for CVE-2021-29520?

CVE-2021-29520 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.22%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingagent frameworks

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15, Art.15
ISO 42001: A.6.2.6, A.9.3
NIST AI RMF: MANAGE 2.2, MANAGE 2.4
OWASP LLM Top 10: LLM03:2025, LLM05

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. Missing validation between arguments to `tf.raw_ops.Conv3DBackprop*` operations can result in heap buffer overflows. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/4814fafb0ca6b5ab58a09411523b2193fed23fed/tensorflow/core/kernels/conv_grad_shape_utils.cc#L94-L153) assumes that the `input`, `filter_sizes` and `out_backprop` tensors have the same shape, as they are accessed in parallel. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privilege access to a shared Jupyter environment or MLOps platform (e.g., Kubeflow, MLflow tracking server with code execution) crafts a training script that calls `tf.raw_ops.Conv3DBackpropInput` with intentionally mismatched tensor shapes for `input`, `filter_sizes`, and `out_backprop`. The implementation accesses these tensors in parallel without bounds checking, triggering an out-of-bounds write on the heap. On a vulnerable host, a skilled attacker can leverage heap layout manipulation to achieve arbitrary code execution as the training process user — potentially compromising model artifacts, exfiltrating training data, or pivoting to the broader ML infrastructure. In a Kubernetes-based ML platform, this could enable container escape if combined with a kernel exploit.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed