CVE-2021-29533 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A malformed empty image input crashes TensorFlow ML serving processes via an unhandled assertion failure in the DrawBoundingBoxes kernel. Upgrade to TF 2.5.0 or the respective patched minor releases immediately if running computer vision inference pipelines. In containerized serving environments the local/remote boundary is blurred — any untrusted input reaching this op can abort the serving process.

Risk Assessment

CVSS 5.5 medium understates operational risk in ML serving contexts. The local attack vector assumes direct process access, but in practice inference APIs accept user-supplied images. Exploitation complexity is trivial — a zero-height image is sufficient. No privilege escalation or data exposure, but process abort in multi-tenant serving infrastructure can cascade into broader availability incidents. Not in CISA KEV and 2021 vintage reduces urgency for patched environments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4.
Input validation: enforce minimum image dimension checks (height > 0, width > 0) at API ingestion layer before data reaches TF ops.
Process isolation: run TF serving replicas in separate containers/processes so a crash does not take down the full serving tier.
Detection: alert on unexpected process exits in TF serving infrastructure — repeated zero-height image submissions are the exploitation fingerprint.
Rate limiting: add input size sanity checks in API gateway to reject degenerate inputs early.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.7 - AI system robustness and availability

NIST AI RMF

MANAGE-2.2 - AI system robustness and error handling

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Insufficient Input Validation

Frequently Asked Questions

What is CVE-2021-29533?

A malformed empty image input crashes TensorFlow ML serving processes via an unhandled assertion failure in the DrawBoundingBoxes kernel. Upgrade to TF 2.5.0 or the respective patched minor releases immediately if running computer vision inference pipelines. In containerized serving environments the local/remote boundary is blurred — any untrusted input reaching this op can abort the serving process.

Is CVE-2021-29533 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29533, increasing the risk of exploitation.

How to fix CVE-2021-29533?

1. Patch: upgrade to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2. Input validation: enforce minimum image dimension checks (height > 0, width > 0) at API ingestion layer before data reaches TF ops. 3. Process isolation: run TF serving replicas in separate containers/processes so a crash does not take down the full serving tier. 4. Detection: alert on unexpected process exits in TF serving infrastructure — repeated zero-height image submissions are the exploitation fingerprint. 5. Rate limiting: add input size sanity checks in API gateway to reject degenerate inputs early.

What systems are affected by CVE-2021-29533?

This vulnerability affects the following AI/ML architecture patterns: model serving, computer vision inference pipelines, batch inference pipelines, training pipelines.

What is the CVSS score for CVE-2021-29533?

CVE-2021-29533 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK` failure by passing an empty image to `tf.raw_ops.DrawBoundingBoxes`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/ea34a18dc3f5c8d80a40ccca1404f343b5d55f91/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L148-L165) uses `CHECK_*` assertions instead of `OP_REQUIRES` to validate user controlled inputs. Whereas `OP_REQUIRES` allows returning an error condition back to the user, the `CHECK_*` macros result in a crash if the condition is false, similar to `assert`. In this case, `height` is 0 from the `images` input. This results in `max_box_row_clamp` being negative and the assertion being falsified, followed by aborting program execution. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting a computer vision API (e.g., an object detection or image annotation service) submits a crafted POST request with a zero-height PNG image to the inference endpoint. The TF serving process passes the image through a pipeline containing DrawBoundingBoxes, which triggers the CHECK assertion failure and aborts the process. In an auto-restarting container environment the attacker repeatedly submits malformed images at low rate to keep the serving replica in a crash loop, degrading availability for legitimate users without triggering volume-based DDoS detections.