AI Threat Alert AI Threat Alert

CVE-2021-29530: TensorFlow: null ptr deref in sparse Cholesky ops

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

TensorFlow 2.1–2.4 contains a null pointer dereference in sparse matrix factorization ops due to broken validation propagation via the OP_REQUIRES macro. Any environment where untrusted users can submit TensorFlow ops—shared notebooks, model serving APIs—is exposed to process crashes. Patch to TF 2.5.0 or backports (2.4.2, 2.3.3, 2.2.3, 2.1.4) immediately and audit whether raw TF ops are reachable from untrusted inputs.

Risk Assessment

Moderate-to-high risk for multi-tenant ML environments. CVSS 7.8 is scored as local, but in shared Jupyter hubs, MLflow deployments, or TF Serving instances that expose raw ops to end users, the effective attack surface is substantially broader. No evidence of active exploitation and not in CISA KEV, but low-complexity exploitation (crafting an invalid permutation argument is trivial) lowers the bar significantly. Organizations running TensorFlow in production inference or shared research platforms should treat this as urgent.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

1 step

  1. 1) Upgrade TensorFlow to 2.5.0; if constrained by compatibility, apply backports: 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2) Immediately audit whether tf.raw_ops is accessible to untrusted users via serving APIs or notebook environments—restrict if so. 3) Add input validation middleware in serving layers to reject malformed sparse matrix inputs before TF op execution. 4) In multi-tenant platforms, isolate TF worker processes per tenant to contain crash blast radius. 5) Monitor for unexpected SIGSEGV/process crash signals in TF worker logs as a potential exploitation indicator. 6) Review dependency lock files across ML pipelines to confirm pinned TF version is patched.

Classification

DoS Code Execution Framework AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI system vulnerability management
NIST AI RMF
MANAGE-2.2 - AI risk treatment and remediation
OWASP LLM Top 10
LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2021-29530?

TensorFlow 2.1–2.4 contains a null pointer dereference in sparse matrix factorization ops due to broken validation propagation via the OP_REQUIRES macro. Any environment where untrusted users can submit TensorFlow ops—shared notebooks, model serving APIs—is exposed to process crashes. Patch to TF 2.5.0 or backports (2.4.2, 2.3.3, 2.2.3, 2.1.4) immediately and audit whether raw TF ops are reachable from untrusted inputs.

Is CVE-2021-29530 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29530, increasing the risk of exploitation.

How to fix CVE-2021-29530?

1) Upgrade TensorFlow to 2.5.0; if constrained by compatibility, apply backports: 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2) Immediately audit whether tf.raw_ops is accessible to untrusted users via serving APIs or notebook environments—restrict if so. 3) Add input validation middleware in serving layers to reject malformed sparse matrix inputs before TF op execution. 4) In multi-tenant platforms, isolate TF worker processes per tenant to contain crash blast radius. 5) Monitor for unexpected SIGSEGV/process crash signals in TF worker logs as a potential exploitation indicator. 6) Review dependency lock files across ML pipelines to confirm pinned TF version is patched.

What systems are affected by CVE-2021-29530?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML research environments, multi-tenant ML platforms.

What is the CVSS score for CVE-2021-29530?

CVE-2021-29530 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a null pointer dereference by providing an invalid `permutation` to `tf.raw_ops.SparseMatrixSparseCholesky`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/080f1d9e257589f78b3ffb75debf584168aa6062/tensorflow/core/kernels/sparse/sparse_cholesky_op.cc#L85-L86) fails to properly validate the input arguments. Although `ValidateInputs` is called and there are checks in the body of this function, the code proceeds to the next line in `ValidateInputs` since `OP_REQUIRES`(https://github.com/tensorflow/tensorflow/blob/080f1d9e257589f78b3ffb75debf584168aa6062/tensorflow/core/framework/op_requires.h#L41-L48) is a macro that only exits the current function. Thus, the first validation condition that fails in `ValidateInputs` will cause an early return from that function. However, the caller will continue execution from the next line. The fix is to either explicitly check `context->status()` or to convert `ValidateInputs` to return a `Status`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared Jupyter notebook environment or a model serving endpoint that exposes sparse linear algebra operations submits a crafted tensor with an invalid permutation argument to SparseMatrixSparseCholesky. ValidateInputs is called but returns early on the first failed check—the OP_REQUIRES macro only exits ValidateInputs, not the caller. The caller continues execution and dereferences a null pointer, crashing the TF worker process. In a shared notebook hub, this takes down the TF kernel for all co-located users. Against a TF Serving instance, repeated submissions sustain a denial of service. Exploitation requires no ML expertise—only knowledge of the affected op's argument signature, which is public documentation.

Weaknesses (CWE)

CWE-476

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed