AI Threat Alert AI Threat Alert

CVE-2021-29534: TensorFlow: DoS via CHECK-fail in SparseConcat op

MEDIUM PoC AVAILABLE
Published May 14, 2021
CISO Take

A local attacker with low privileges can crash any TensorFlow process by passing malformed sparse tensor shapes to the SparseConcat operation, triggering an unhandled CHECK-fail that aborts the process. If your ML serving infrastructure accepts user-controlled tensor inputs, this is reachable remotely. Patch to TF 2.5.0 (or backports 2.4.2/2.3.3/2.2.3/2.1.4) immediately.

Risk Assessment

Medium risk overall, but context-dependent. The CVSS local attack vector understates real-world exposure: any TF serving endpoint that processes user-supplied tensor data effectively turns this into a network-reachable DoS. Exploitation requires no sophisticated knowledge — crafting an oversized shape value is trivial. Impact is purely availability (process crash), with no data exfiltration or code execution path. Organizations running TF in training pipelines with untrusted data inputs (e.g., shared GPU clusters, multi-tenant ML platforms) face the highest risk.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

1 step

  1. 1) Upgrade to TensorFlow 2.5.0 or apply cherry-picked patches to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c). 2) If patching is not immediately possible, validate tensor shape dimensions before passing to SparseConcat — reject inputs with dimension values exceeding INT32_MAX or negative values. 3) Run TF serving processes with process supervisors (systemd, Kubernetes liveness probes) configured to auto-restart on crash. 4) Isolate TF serving endpoints behind an input validation proxy that enforces tensor shape bounds. 5) Monitor for anomalous process crashes in ML serving infrastructure as a detection signal.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.9 - Risk Management System
ISO 42001
A.6.2.6 - AI system risk treatment
NIST AI RMF
MANAGE-4.1 - Residual risks from AI are documented and monitored MEASURE-2.5 - AI system operation and monitoring

Frequently Asked Questions

What is CVE-2021-29534?

A local attacker with low privileges can crash any TensorFlow process by passing malformed sparse tensor shapes to the SparseConcat operation, triggering an unhandled CHECK-fail that aborts the process. If your ML serving infrastructure accepts user-controlled tensor inputs, this is reachable remotely. Patch to TF 2.5.0 (or backports 2.4.2/2.3.3/2.2.3/2.1.4) immediately.

Is CVE-2021-29534 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29534, increasing the risk of exploitation.

How to fix CVE-2021-29534?

1) Upgrade to TensorFlow 2.5.0 or apply cherry-picked patches to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c). 2) If patching is not immediately possible, validate tensor shape dimensions before passing to SparseConcat — reject inputs with dimension values exceeding INT32_MAX or negative values. 3) Run TF serving processes with process supervisors (systemd, Kubernetes liveness probes) configured to auto-restart on crash. 4) Isolate TF serving endpoints behind an input validation proxy that enforces tensor shape bounds. 5) Monitor for anomalous process crashes in ML serving infrastructure as a detection signal.

What systems are affected by CVE-2021-29534?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, batch inference.

What is the CVSS score for CVE-2021-29534?

CVE-2021-29534 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.SparseConcat`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b904a6c222cbce794c39703e87/tensorflow/core/kernels/sparse_concat_op.cc#L76) takes the values specified in `shapes[0]` as dimensions for the output shape. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting a company's ML-powered API submits a crafted inference request to a TensorFlow Serving endpoint that internally calls SparseConcat. The request includes a sparse tensor where shapes[0] contains an astronomically large dimension value designed to trigger integer overflow in TensorShape constructor's InitDims. The resulting non-OK status hits the legacy CHECK macro, which calls std::abort(), crashing the TF serving process. If no restart automation exists, the ML service is down. An attacker automates this at low volume to keep the service in a crash loop, evading rate limits designed for volumetric DoS.

Weaknesses (CWE)

CWE-754

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed