AI Threat Alert AI Threat Alert

CVE-2021-29536: TensorFlow: heap overflow in QuantizedReshape op

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

A heap buffer overflow in TensorFlow's QuantizedReshape kernel allows local attackers to trigger out-of-bounds writes via crafted empty quantization threshold tensors, potentially enabling code execution within ML pipeline processes. Organizations running TensorFlow-based training or inference workloads should patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 immediately. Multi-tenant ML environments such as shared Jupyter servers and GPU clusters carry the highest risk due to lateral movement potential post-exploitation.

Risk Assessment

Medium-high risk for organizations with shared or multi-tenant TensorFlow environments. CVSS 7.8 (High) reflects full CIA triad impact if exploited locally. Low attack complexity means any user with execution access to a TF environment can trigger heap corruption with crafted inputs. Risk escalates significantly in shared ML infrastructure (JupyterHub, Kubeflow, TF Serving endpoints) where post-exploitation lateral movement across co-located workloads is feasible. The 2021 publication date reduces urgency, but unpatched legacy TF deployments remain exposed.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.5.0, or apply cherry-picks to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 for in-support versions.

  2. AUDIT

    Inventory TensorFlow versions across all ML workloads — run pip show tensorflow or query container images.

  3. WORKAROUND

    Validate tensor shapes and assert non-empty inputs before passing to QuantizedReshape ops if immediate patching is not possible.

  4. ACCESS CONTROL

    Restrict who can submit custom TF graphs or execute arbitrary TF operations in shared ML environments.

  5. DETECT

    Alert on unexpected process crashes or crash-loop restarts in TF Serving pods as a potential indicator of exploitation attempts.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0016.001 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - AI system security
NIST AI RMF
GOVERN 6.1 - Policies for AI risk and benefit management MANAGE 2.2 - Mechanisms to sustain and improve AI risk management
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29536?

A heap buffer overflow in TensorFlow's QuantizedReshape kernel allows local attackers to trigger out-of-bounds writes via crafted empty quantization threshold tensors, potentially enabling code execution within ML pipeline processes. Organizations running TensorFlow-based training or inference workloads should patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 immediately. Multi-tenant ML environments such as shared Jupyter servers and GPU clusters carry the highest risk due to lateral movement potential post-exploitation.

Is CVE-2021-29536 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29536, increasing the risk of exploitation.

How to fix CVE-2021-29536?

1. PATCH: Upgrade to TensorFlow 2.5.0, or apply cherry-picks to 2.4.2, 2.3.3, 2.2.3, or 2.1.4 for in-support versions. 2. AUDIT: Inventory TensorFlow versions across all ML workloads — run `pip show tensorflow` or query container images. 3. WORKAROUND: Validate tensor shapes and assert non-empty inputs before passing to QuantizedReshape ops if immediate patching is not possible. 4. ACCESS CONTROL: Restrict who can submit custom TF graphs or execute arbitrary TF operations in shared ML environments. 5. DETECT: Alert on unexpected process crashes or crash-loop restarts in TF Serving pods as a potential indicator of exploitation attempts.

What systems are affected by CVE-2021-29536?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference pipelines, edge deployment pipelines.

What is the CVSS score for CVE-2021-29536?

CVE-2021-29536 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedReshape` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a324ac84e573fba362a5e53d4e74d5de6729933e/tensorflow/core/kernels/quantized_reshape_op.cc#L38-L55) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An insider threat or attacker with access to a shared ML training cluster constructs a TensorFlow computation graph containing a QuantizedReshape op with deliberately empty (shape [0]) tensors as quantization min/max threshold arguments. When the graph executes, the kernel calls `.flat<T>()[0]` on an empty buffer, triggering a heap buffer overflow (CWE-787). With knowledge of the heap layout and a reliable primitive, an attacker could overwrite function pointers or control flow data to redirect execution — gaining code execution within the TF worker process and access to model weights, training datasets, or environment variables containing API keys and cloud credentials for downstream services.

Weaknesses (CWE)

CWE-787 Primary CWE-131

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed