AI Threat Alert AI Threat Alert

CVE-2021-29535: TensorFlow: heap overflow in QuantizedMul op

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

A heap buffer overflow in TensorFlow's QuantizedMul kernel allows local attackers with low privileges to achieve arbitrary code execution on any host running affected TensorFlow versions. Quantized ops are widely used in inference optimization and edge deployments, making this relevant to production ML serving infrastructure. Upgrade immediately to TF 2.5.0 or the corresponding patched backport for your branch.

Risk Assessment

CVSS 7.8 High with local attack vector, low complexity, and low privilege requirement. While the local-only constraint limits internet-exposed attack surface, shared ML infrastructure (GPU clusters, HPC environments, multi-tenant notebook platforms, CI/CD runners, containerized training jobs) significantly widens exposure. An attacker who can influence model inputs or quantization parameters — for instance through a malicious model file or crafted dataset — can trigger this without interactive user involvement. Not in CISA KEV, no public exploitation evidence as of disclosure, but the low complexity makes post-access exploitation trivial.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Verify installed version with pip show tensorflow.

  2. ISOLATE

    Run TF inference workers in minimal-privilege containers with no host network access; enforce read-only filesystems where possible.

  3. VALIDATE INPUTS

    Add input validation to reject empty tensors before they reach quantized kernels — check tensor shape and element count upstream.

  4. DETECT

    Monitor for anomalous process crashes (SIGABRT/SIGSEGV) in ML serving processes, which may indicate failed exploitation attempts.

  5. AUDIT

    Inventory all TF deployments across dev, CI/CD, and production environments — developer machines and CI runners are often overlooked.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0011.000 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system security and resilience
NIST AI RMF
MANAGE-2.2 - Mechanisms for sustaining AI risk management
OWASP LLM Top 10
LLM09:2025 - Misinformation

Frequently Asked Questions

What is CVE-2021-29535?

A heap buffer overflow in TensorFlow's QuantizedMul kernel allows local attackers with low privileges to achieve arbitrary code execution on any host running affected TensorFlow versions. Quantized ops are widely used in inference optimization and edge deployments, making this relevant to production ML serving infrastructure. Upgrade immediately to TF 2.5.0 or the corresponding patched backport for your branch.

Is CVE-2021-29535 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29535, increasing the risk of exploitation.

How to fix CVE-2021-29535?

1. PATCH: Upgrade to TensorFlow 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4. Verify installed version with `pip show tensorflow`. 2. ISOLATE: Run TF inference workers in minimal-privilege containers with no host network access; enforce read-only filesystems where possible. 3. VALIDATE INPUTS: Add input validation to reject empty tensors before they reach quantized kernels — check tensor shape and element count upstream. 4. DETECT: Monitor for anomalous process crashes (SIGABRT/SIGSEGV) in ML serving processes, which may indicate failed exploitation attempts. 5. AUDIT: Inventory all TF deployments across dev, CI/CD, and production environments — developer machines and CI runners are often overlooked.

What systems are affected by CVE-2021-29535?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, edge inference, quantization-aware training workflows, CI/CD ML evaluation pipelines.

What is the CVSS score for CVE-2021-29535?

CVE-2021-29535 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedMul` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/87cf4d3ea9949051e50ca3f071fc909538a51cd0/tensorflow/core/kernels/quantized_mul_op.cc#L287-L290) assumes that the 4 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML platform (e.g., a data scientist account on a Jupyter Hub or a compromised CI/CD pipeline) crafts a TensorFlow model that passes empty tensors as the quantization threshold arguments to QuantizedMul. When the model is loaded and executed — either by the victim running inference or an automated evaluation pipeline — the empty `.flat<T>()` buffer is dereferenced at position 0, triggering a heap buffer overflow. On a model serving host running TF Serving, this could be triggered by submitting a malformed quantized model through the model management API, potentially escalating from inference API access to code execution on the serving infrastructure.

Weaknesses (CWE)

CWE-787 Primary CWE-131

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed