CVE-2021-29534: TensorFlow: DoS via CHECK-fail in SparseConcat op

MEDIUM PoC AVAILABLE

Published May 14, 2021

CISO Take

A local attacker with low privileges can crash any TensorFlow process by passing malformed sparse tensor shapes to the SparseConcat operation, triggering an unhandled CHECK-fail that aborts the process. If your ML serving infrastructure accepts user-controlled tensor inputs, this is reachable remotely. Patch to TF 2.5.0 (or backports 2.4.2/2.3.3/2.2.3/2.1.4) immediately.

What is the risk?

Medium risk overall, but context-dependent. The CVSS local attack vector understates real-world exposure: any TF serving endpoint that processes user-supplied tensor data effectively turns this into a network-reachable DoS. Exploitation requires no sophisticated knowledge — crafting an oversized shape value is trivial. Impact is purely availability (process crash), with no data exfiltration or code execution path. Organizations running TF in training pipelines with untrusted data inputs (e.g., shared GPU clusters, multi-tenant ML platforms) face the highest risk.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

1 step

1) Upgrade to TensorFlow 2.5.0 or apply cherry-picked patches to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c). 2) If patching is not immediately possible, validate tensor shape dimensions before passing to SparseConcat — reject inputs with dimension values exceeding INT32_MAX or negative values. 3) Run TF serving processes with process supervisors (systemd, Kubernetes liveness probes) configured to auto-restart on crash. 4) Isolate TF serving endpoints behind an input validation proxy that enforces tensor shape bounds. 5) Monitor for anomalous process crashes in ML serving infrastructure as a detection signal.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.9 - Risk Management System

ISO 42001

A.6.2.6 - AI system risk treatment

NIST AI RMF

MANAGE-4.1 - Residual risks from AI are documented and monitored MEASURE-2.5 - AI system operation and monitoring

Frequently Asked Questions

What is CVE-2021-29534?

Is CVE-2021-29534 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29534, increasing the risk of exploitation.

How to fix CVE-2021-29534?

1) Upgrade to TensorFlow 2.5.0 or apply cherry-picked patches to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c). 2) If patching is not immediately possible, validate tensor shape dimensions before passing to SparseConcat — reject inputs with dimension values exceeding INT32_MAX or negative values. 3) Run TF serving processes with process supervisors (systemd, Kubernetes liveness probes) configured to auto-restart on crash. 4) Isolate TF serving endpoints behind an input validation proxy that enforces tensor shape bounds. 5) Monitor for anomalous process crashes in ML serving infrastructure as a detection signal.

What systems are affected by CVE-2021-29534?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, batch inference.

What is the CVSS score for CVE-2021-29534?

CVE-2021-29534 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesbatch inference

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE-4.1, MEASURE-2.5

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.SparseConcat`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b904a6c222cbce794c39703e87/tensorflow/core/kernels/sparse_concat_op.cc#L76) takes the values specified in `shapes[0]` as dimensions for the output shape. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting a company's ML-powered API submits a crafted inference request to a TensorFlow Serving endpoint that internally calls SparseConcat. The request includes a sparse tensor where shapes[0] contains an astronomically large dimension value designed to trigger integer overflow in TensorShape constructor's InitDims. The resulting non-OK status hits the legacy CHECK macro, which calls std::abort(), crashing the TF serving process. If no restart automation exists, the ML service is down. An attacker automates this at low volume to keep the service in a crash loop, evading rate limits designed for volumetric DoS.

Weaknesses (CWE)

CWE-754 Improper Check for Unusual or Exceptional Conditions

CWE-754 — Improper Check for Unusual or Exceptional Conditions: The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
[Implementation] Check the results of all functions that return a value and verify that the value is expected.

Source: MITRE CWE corpus.