CVE-2021-29525 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

A divide-by-zero in TensorFlow's Conv2DBackpropInput allows a local low-privilege attacker to crash training workers or TF serving processes. The CVSS 7.8 overstates practical risk for isolated deployments — the real exposure is multi-tenant ML infrastructure where untrusted users share TensorFlow workers. Patch to TF 2.5.0 or apply cherrypicks to your supported branch; prioritize shared training clusters and Jupyter environments over single-user workstations.

Risk Assessment

CVSS 7.8 HIGH overstates real-world risk for most deployments due to the local attack vector (AV:L). Exploitation requires code execution on the target system or the ability to submit TensorFlow operations — this narrows exposure to multi-tenant ML platforms (Kubeflow, JupyterHub, SageMaker shared clusters). The C:H/I:H/A:H impact scores reflect worst-case crash scenarios in C++ that may allow memory corruption beyond a clean DoS. Not in CISA KEV; no evidence of active exploitation. Risk is MEDIUM for isolated deployments, HIGH for shared multi-tenant training infrastructure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Patch: upgrade to TensorFlow 2.5.0 (primary fix) or apply cherrypicks to TF 2.4.2, 2.3.3, 2.2.3, or 2.1.4.
Audit current TF versions across all environments: pip freeze | grep -i tensorflow and check ML container base images.
In multi-tenant platforms, enforce resource isolation so a crashing TF worker cannot disrupt co-tenant jobs.
Add input validation on Conv2D stride/padding parameters before they reach TF kernels if upgrading immediately is not feasible.
Monitor training job abnormal termination rates as an anomaly signal.
Scan infrastructure-as-code and ML pipeline Docker images for vulnerable TF versions via OSS dependency scanners (Trivy, Grype).

Classification

DoS Code Execution Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system technical robustness and accuracy

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29525?

A divide-by-zero in TensorFlow's Conv2DBackpropInput allows a local low-privilege attacker to crash training workers or TF serving processes. The CVSS 7.8 overstates practical risk for isolated deployments — the real exposure is multi-tenant ML infrastructure where untrusted users share TensorFlow workers. Patch to TF 2.5.0 or apply cherrypicks to your supported branch; prioritize shared training clusters and Jupyter environments over single-user workstations.

Is CVE-2021-29525 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29525, increasing the risk of exploitation.

How to fix CVE-2021-29525?

1. Patch: upgrade to TensorFlow 2.5.0 (primary fix) or apply cherrypicks to TF 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2. Audit current TF versions across all environments: `pip freeze | grep -i tensorflow` and check ML container base images. 3. In multi-tenant platforms, enforce resource isolation so a crashing TF worker cannot disrupt co-tenant jobs. 4. Add input validation on Conv2D stride/padding parameters before they reach TF kernels if upgrading immediately is not feasible. 5. Monitor training job abnormal termination rates as an anomaly signal. 6. Scan infrastructure-as-code and ML pipeline Docker images for vulnerable TF versions via OSS dependency scanners (Trivy, Grype).

What systems are affected by CVE-2021-29525?

This vulnerability affects the following AI/ML architecture patterns: CNN training pipelines, multi-tenant ML platforms, MLOps automated retraining pipelines, model serving with gradient computation.

What is the CVSS score for CVE-2021-29525?

CVE-2021-29525 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in `tf.raw_ops.Conv2DBackpropInput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/b40060c9f697b044e3107917c797ba052f4506ab/tensorflow/core/kernels/conv_grad_input_ops.h#L625-L655) does a division by a quantity that is controlled by the caller. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

On a shared ML training platform (Kubeflow, JupyterHub, SageMaker Studio) running TF < 2.5.0, a malicious tenant submits a training script calling `tf.raw_ops.Conv2DBackpropInput` with parameters crafted to produce a zero-valued divisor in the kernel. The division-by-zero triggers a SIGFPE crash in the TF worker process. In a shared-worker architecture, this disrupts co-tenants' training jobs and corrupts their in-progress checkpoints. Chained with a poisoned training script committed to a shared ML code repository, this becomes a low-effort sabotage vector against a team's model training pipeline — particularly effective against CI/CD-driven automated retraining systems.