CVE-2021-29533: TensorFlow DoS via empty image

CISO Take

A malformed empty image input crashes TensorFlow ML serving processes via an unhandled assertion failure in the DrawBoundingBoxes kernel. Upgrade to TF 2.5.0 or the respective patched minor releases immediately if running computer vision inference pipelines. In containerized serving environments the local/remote boundary is blurred — any untrusted input reaching this op can abort the serving process.

What is the risk?

CVSS 5.5 medium understates operational risk in ML serving contexts. The local attack vector assumes direct process access, but in practice inference APIs accept user-supplied images. Exploitation complexity is trivial — a zero-height image is sufficient. No privilege escalation or data exposure, but process abort in multi-tenant serving infrastructure can cascade into broader availability incidents. Not in CISA KEV and 2021 vintage reduces urgency for patched environments.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: upgrade to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4.
Input validation: enforce minimum image dimension checks (height > 0, width > 0) at API ingestion layer before data reaches TF ops.
Process isolation: run TF serving replicas in separate containers/processes so a crash does not take down the full serving tier.
Detection: alert on unexpected process exits in TF serving infrastructure — repeated zero-height image submissions are the exploitation fingerprint.
Rate limiting: add input size sanity checks in API gateway to reject degenerate inputs early.

How is it classified?

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.7 - AI system robustness and availability

NIST AI RMF

MANAGE-2.2 - AI system robustness and error handling

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Insufficient Input Validation

Frequently Asked Questions

What is CVE-2021-29533?

A malformed empty image input crashes TensorFlow ML serving processes via an unhandled assertion failure in the DrawBoundingBoxes kernel. Upgrade to TF 2.5.0 or the respective patched minor releases immediately if running computer vision inference pipelines. In containerized serving environments the local/remote boundary is blurred — any untrusted input reaching this op can abort the serving process.

Is CVE-2021-29533 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29533, increasing the risk of exploitation.

How to fix CVE-2021-29533?

1. Patch: upgrade to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2. Input validation: enforce minimum image dimension checks (height > 0, width > 0) at API ingestion layer before data reaches TF ops. 3. Process isolation: run TF serving replicas in separate containers/processes so a crash does not take down the full serving tier. 4. Detection: alert on unexpected process exits in TF serving infrastructure — repeated zero-height image submissions are the exploitation fingerprint. 5. Rate limiting: add input size sanity checks in API gateway to reject degenerate inputs early.

What systems are affected by CVE-2021-29533?

This vulnerability affects the following AI/ML architecture patterns: model serving, computer vision inference pipelines, batch inference pipelines, training pipelines.

What is the CVSS score for CVE-2021-29533?

CVE-2021-29533 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.22%.

What is the AI security impact?

Affected AI Architectures

model servingcomputer vision inference pipelinesbatch inference pipelinestraining pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0043 Craft Adversarial Data

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.9.7

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK` failure by passing an empty image to `tf.raw_ops.DrawBoundingBoxes`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/ea34a18dc3f5c8d80a40ccca1404f343b5d55f91/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L148-L165) uses `CHECK_*` assertions instead of `OP_REQUIRES` to validate user controlled inputs. Whereas `OP_REQUIRES` allows returning an error condition back to the user, the `CHECK_*` macros result in a crash if the condition is false, similar to `assert`. In this case, `height` is 0 from the `images` input. This results in `max_box_row_clamp` being negative and the assertion being falsified, followed by aborting program execution. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting a computer vision API (e.g., an object detection or image annotation service) submits a crafted POST request with a zero-height PNG image to the inference endpoint. The TF serving process passes the image through a pipeline containing DrawBoundingBoxes, which triggers the CHECK assertion failure and aborts the process. In an auto-restarting container environment the attacker repeatedly submits malformed images at low rate to keep the serving replica in a crash loop, degrading availability for legitimate users without triggering volume-based DDoS detections.

Weaknesses (CWE)

CWE-754 Improper Check for Unusual or Exceptional Conditions

CWE-754 — Improper Check for Unusual or Exceptional Conditions: The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
[Implementation] Check the results of all functions that return a value and verify that the value is expected.

Source: MITRE CWE corpus.