CVE-2021-29528 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A low-privileged local attacker can crash any TensorFlow process using QuantizedMul ops by crafting tensor inputs that force a division by zero. Patch to TF 2.5.0 or the backports (2.4.2 / 2.3.3 / 2.2.3 / 2.1.4) — priority is higher if you run shared ML inference infrastructure or multi-tenant Jupyter/Kubeflow environments. Impact is availability-only: no data exfiltration or code execution is possible.

Risk Assessment

Medium risk overall, lower for isolated single-tenant deployments. The local attack vector (AV:L) limits remote exploitation, but in shared ML platforms, Kubernetes-based serving clusters, or internally exposed TF Serving endpoints, a low-privileged user can reliably trigger a crash with minimal effort. No active exploitation evidence and not in CISA KEV. The predictable, reproducible crash path makes this a reliable DoS primitive for anyone with access to submit inference requests.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade TensorFlow to ≥2.5.0, or apply backports 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4.
If patching is delayed: restrict direct access to raw quantized ops in serving APIs and add input shape/dimension validation before QuantizedMul execution.
Network controls: ensure TF Serving gRPC/REST endpoints require authentication and are not reachable by untrusted users.
Detection: alert on repeated process crashes or pod restarts in TF inference workers; monitor TF logs for unhandled division errors or OpsErrors originating from quantized kernels.
Isolation: run inference workers in separate pods/containers so a crash does not cascade to other tenants.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation

NIST AI RMF

MANAGE 2.2 - Risk Response

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29528?

A low-privileged local attacker can crash any TensorFlow process using QuantizedMul ops by crafting tensor inputs that force a division by zero. Patch to TF 2.5.0 or the backports (2.4.2 / 2.3.3 / 2.2.3 / 2.1.4) — priority is higher if you run shared ML inference infrastructure or multi-tenant Jupyter/Kubeflow environments. Impact is availability-only: no data exfiltration or code execution is possible.

Is CVE-2021-29528 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29528, increasing the risk of exploitation.

How to fix CVE-2021-29528?

1. Patch: upgrade TensorFlow to ≥2.5.0, or apply backports 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4. 2. If patching is delayed: restrict direct access to raw quantized ops in serving APIs and add input shape/dimension validation before QuantizedMul execution. 3. Network controls: ensure TF Serving gRPC/REST endpoints require authentication and are not reachable by untrusted users. 4. Detection: alert on repeated process crashes or pod restarts in TF inference workers; monitor TF logs for unhandled division errors or OpsErrors originating from quantized kernels. 5. Isolation: run inference workers in separate pods/containers so a crash does not cascade to other tenants.

What systems are affected by CVE-2021-29528?

This vulnerability affects the following AI/ML architecture patterns: model serving, quantized model pipelines, training pipelines, edge inference.

What is the CVSS score for CVE-2021-29528?

CVE-2021-29528 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in `tf.raw_ops.QuantizedMul`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/55900e961ed4a23b438392024912154a2c2f5e85/tensorflow/core/kernels/quantized_mul_op.cc#L188-L198) does a division by a quantity that is controlled by the caller. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML platform or an internally-exposed TensorFlow Serving endpoint crafts a gRPC or REST inference request containing tensor arguments that set the divisor quantity in QuantizedMul to zero. The TF runtime executes the kernel without bounds validation, hits a division-by-zero, and the worker process terminates. In a Kubernetes inference cluster, the pod crashes and restarts, momentarily disrupting live traffic. With no rate limiting, the attacker loops requests at high frequency, keeping the inference pod in a perpetual crash-restart cycle and effectively taking the model offline for all users — a sustained DoS against the AI service with no exploitation sophistication required.