CVE-2021-29539 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A low-privilege local attacker can crash TensorFlow processes by passing resource or variant dtypes to ImmutableConst, triggering a segfault. Risk is elevated in multi-tenant ML platforms, shared Jupyter environments, or model serving infrastructure that processes externally-supplied TF graphs. Patch to TensorFlow 2.5.0; add dtype validation as an immediate workaround.

Risk Assessment

MEDIUM overall, but context-dependent. The CVSS 5.5 reflects local access requirements, yet exploitation is trivially simple — a one-liner crashes the TF process with no exploit tooling required. Risk escalates sharply in shared ML environments (notebook servers, MLaaS platforms, training queues) where untrusted users can submit TensorFlow code. Confidentiality and integrity are unaffected; availability impact is total for the crashed process.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade to TensorFlow 2.5.0 or apply commit 4f663d4b8f0bec1b48da6fa091a7d29609980fa4.
Workaround: Insert dtype validation before any tf.raw_ops.ImmutableConst call — reject tf.resource and tf.variant inputs explicitly.
Sandbox: Run TensorFlow workloads in isolated containers or VMs to limit blast radius of crashes.
Multi-tenant hardening: Audit all code paths that accept user-controlled TF ops, graphs, or SavedModel files.
Detection: Alert on unexpected TF process terminations (segfaults in syslog/journald) as potential exploitation indicators in production serving environments.

Classification

DoS Code Execution Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

Clause 6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of identified AI risks

Frequently Asked Questions

What is CVE-2021-29539?

A low-privilege local attacker can crash TensorFlow processes by passing resource or variant dtypes to ImmutableConst, triggering a segfault. Risk is elevated in multi-tenant ML platforms, shared Jupyter environments, or model serving infrastructure that processes externally-supplied TF graphs. Patch to TensorFlow 2.5.0; add dtype validation as an immediate workaround.

Is CVE-2021-29539 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29539, increasing the risk of exploitation.

How to fix CVE-2021-29539?

1. Patch: Upgrade to TensorFlow 2.5.0 or apply commit 4f663d4b8f0bec1b48da6fa091a7d29609980fa4. 2. Workaround: Insert dtype validation before any tf.raw_ops.ImmutableConst call — reject tf.resource and tf.variant inputs explicitly. 3. Sandbox: Run TensorFlow workloads in isolated containers or VMs to limit blast radius of crashes. 4. Multi-tenant hardening: Audit all code paths that accept user-controlled TF ops, graphs, or SavedModel files. 5. Detection: Alert on unexpected TF process terminations (segfaults in syslog/journald) as potential exploitation indicators in production serving environments.

What systems are affected by CVE-2021-29539?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, shared ML notebooks, ML-as-a-Service platforms, CI/CD ML pipelines.

What is the CVSS score for CVE-2021-29539?

CVE-2021-29539 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.ImmutableConst`(https://www.tensorflow.org/api_docs/python/tf/raw_ops/ImmutableConst) with a `dtype` of `tf.resource` or `tf.variant` results in a segfault in the implementation as code assumes that the tensor contents are pure scalars. We have patched the issue in 4f663d4b8f0bec1b48da6fa091a7d29609980fa4 and will release TensorFlow 2.5.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. If using `tf.raw_ops.ImmutableConst` in code, you can prevent the segfault by inserting a filter for the `dtype` argument.

Exploitation Scenario

An adversary with access to a shared ML notebook server or model training queue submits a malicious TensorFlow script: `tf.raw_ops.ImmutableConst(dtype=tf.resource, shape=[], memory_region_name='x')`. The TF runtime dereferences the resource handle as a scalar value, triggering a segfault that immediately terminates the process. On a shared inference server, this kills all concurrent model predictions for every user. In a training platform, it aborts active jobs. An adversary could script repeated submissions to maintain a sustained DoS against the ML infrastructure, particularly targeting pre-patch TF Serving deployments exposed to internal users.