CVE-2021-29523 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with low privileges can crash TensorFlow processes by passing malicious sparse_shape values to AddManySparseToTensorsMap, triggering a CHECK-fail through integer overflow (CWE-190). Risk is limited to availability but is elevated in multi-tenant ML platforms where a single crash disrupts co-located training jobs. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4; enforce workload isolation on shared inference/training infrastructure.

Risk Assessment

Medium risk overall, but elevated in shared ML environments such as Kubeflow clusters, SageMaker custom containers, or shared Jupyter servers where untrusted users can submit workloads. CVSS 5.5 understates impact on multi-tenant platforms where one crafted input can crash shared TF worker processes. No remote attack vector and no data exfiltration path constrain blast radius. Not in CISA KEV; no evidence of active exploitation in the wild.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

1 step

1) Patch: Upgrade to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2) Isolation: Enforce per-user container/VM isolation on shared ML platforms; never run untrusted workloads in shared TF processes. 3) Input validation: Reject sparse_shape dimension values that could trigger overflow before they reach TF ops. 4) Detection: Alert on unexpected TF process SIGABRT/CHECK-fail log patterns as anomaly indicators for abuse attempts. 5) Least privilege: Restrict who can submit TF raw_ops jobs in shared environments.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI risk management process

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain deployed AI system value

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2021-29523?

A local attacker with low privileges can crash TensorFlow processes by passing malicious sparse_shape values to AddManySparseToTensorsMap, triggering a CHECK-fail through integer overflow (CWE-190). Risk is limited to availability but is elevated in multi-tenant ML platforms where a single crash disrupts co-located training jobs. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4; enforce workload isolation on shared inference/training infrastructure.

Is CVE-2021-29523 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29523, increasing the risk of exploitation.

How to fix CVE-2021-29523?

1) Patch: Upgrade to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2) Isolation: Enforce per-user container/VM isolation on shared ML platforms; never run untrusted workloads in shared TF processes. 3) Input validation: Reject sparse_shape dimension values that could trigger overflow before they reach TF ops. 4) Detection: Alert on unexpected TF process SIGABRT/CHECK-fail log patterns as anomaly indicators for abuse attempts. 5) Least privilege: Restrict who can submit TF raw_ops jobs in shared environments.

What systems are affected by CVE-2021-29523?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, shared ML platforms.

What is the CVSS score for CVE-2021-29523?

CVE-2021-29523 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.AddManySparseToTensorsMap`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/kernels/sparse_tensors_map_ops.cc#L257) takes the values specified in `sparse_shape` as dimensions for the output shape. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

On a shared Kubeflow or JupyterHub ML cluster, a malicious tenant submits a training job containing a single Python call: tf.raw_ops.AddManySparseToTensorsMap with sparse_shape values crafted to cause integer overflow in the TensorShape constructor. The CHECK-fail triggers SIGABRT, crashing the TF worker process—potentially taking down co-located training jobs on the same node or disrupting a shared parameter server. No advanced ML knowledge required; exploitation is a one-liner with documented TF Python API.