AI Threat Alert

CVE-2021-29525: TensorFlow: div-by-zero DoS in Conv2DBackpropInput

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

A divide-by-zero in TensorFlow's Conv2DBackpropInput allows a local low-privilege attacker to crash training workers or TF serving processes. The CVSS 7.8 overstates practical risk for isolated deployments — the real exposure is multi-tenant ML infrastructure where untrusted users share TensorFlow workers. Patch to TF 2.5.0 or apply cherrypicks to your supported branch; prioritize shared training clusters and Jupyter environments over single-user workstations.

What is the risk?

CVSS 7.8 HIGH overstates real-world risk for most deployments due to the local attack vector (AV:L). Exploitation requires code execution on the target system or the ability to submit TensorFlow operations — this narrows exposure to multi-tenant ML platforms (Kubeflow, JupyterHub, SageMaker shared clusters). The C:H/I:H/A:H impact scores reflect worst-case crash scenarios in C++ that may allow memory corruption beyond a clean DoS. Not in CISA KEV; no evidence of active exploitation. Risk is MEDIUM for isolated deployments, HIGH for shared multi-tenant training infrastructure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch: upgrade to TensorFlow 2.5.0 (primary fix) or apply cherrypicks to TF 2.4.2, 2.3.3, 2.2.3, or 2.1.4.

  2. Audit current TF versions across all environments: pip freeze | grep -i tensorflow and check ML container base images.

  3. In multi-tenant platforms, enforce resource isolation so a crashing TF worker cannot disrupt co-tenant jobs.

  4. Add input validation on Conv2D stride/padding parameters before they reach TF kernels if upgrading immediately is not feasible.

  5. Monitor training job abnormal termination rates as an anomaly signal.

  6. Scan infrastructure-as-code and ML pipeline Docker images for vulnerable TF versions via OSS dependency scanners (Trivy, Grype).

How is it classified?

DoS Code Execution Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system technical robustness and accuracy
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems
OWASP LLM Top 10
LLM06:2025 - Excessive Agency / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29525?

A divide-by-zero in TensorFlow's Conv2DBackpropInput allows a local low-privilege attacker to crash training workers or TF serving processes. The CVSS 7.8 overstates practical risk for isolated deployments — the real exposure is multi-tenant ML infrastructure where untrusted users share TensorFlow workers. Patch to TF 2.5.0 or apply cherrypicks to your supported branch; prioritize shared training clusters and Jupyter environments over single-user workstations.

Is CVE-2021-29525 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29525, increasing the risk of exploitation.

How to fix CVE-2021-29525?

1. Patch: upgrade to TensorFlow 2.5.0 (primary fix) or apply cherrypicks to TF 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2. Audit current TF versions across all environments: `pip freeze | grep -i tensorflow` and check ML container base images. 3. In multi-tenant platforms, enforce resource isolation so a crashing TF worker cannot disrupt co-tenant jobs. 4. Add input validation on Conv2D stride/padding parameters before they reach TF kernels if upgrading immediately is not feasible. 5. Monitor training job abnormal termination rates as an anomaly signal. 6. Scan infrastructure-as-code and ML pipeline Docker images for vulnerable TF versions via OSS dependency scanners (Trivy, Grype).

What systems are affected by CVE-2021-29525?

This vulnerability affects the following AI/ML architecture patterns: CNN training pipelines, multi-tenant ML platforms, MLOps automated retraining pipelines, model serving with gradient computation.

What is the CVSS score for CVE-2021-29525?

CVE-2021-29525 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

CNN training pipelinesmulti-tenant ML platformsMLOps automated retraining pipelinesmodel serving with gradient computation

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in `tf.raw_ops.Conv2DBackpropInput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/b40060c9f697b044e3107917c797ba052f4506ab/tensorflow/core/kernels/conv_grad_input_ops.h#L625-L655) does a division by a quantity that is controlled by the caller. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

On a shared ML training platform (Kubeflow, JupyterHub, SageMaker Studio) running TF < 2.5.0, a malicious tenant submits a training script calling `tf.raw_ops.Conv2DBackpropInput` with parameters crafted to produce a zero-valued divisor in the kernel. The division-by-zero triggers a SIGFPE crash in the TF worker process. In a shared-worker architecture, this disrupts co-tenants' training jobs and corrupts their in-progress checkpoints. Chained with a poisoned training script committed to a shared ML code repository, this becomes a low-effort sabotage vector against a team's model training pipeline — particularly effective against CI/CD-driven automated retraining systems.

Weaknesses (CWE)

CWE-369 Divide By Zero

CWE-369 — Divide By Zero: The product divides a value by zero.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed