AI Threat Alert

CVE-2021-29541: TensorFlow: null ptr deref DoS in StringNGrams op

MEDIUM PoC AVAILABLE
Published May 14, 2021
CISO Take

A low-privilege local attacker can crash the TensorFlow runtime by passing crafted input to the StringNGrams op, causing a null pointer dereference and denying service to any pipeline relying on it. In shared ML environments (JupyterHub, SageMaker, Vertex AI notebooks), 'local' is effectively any authenticated user. Patch immediately to TF 2.5.0+ or apply the backport for your branch (2.4.2, 2.3.3, 2.2.3, or 2.1.4).

What is the risk?

Medium risk overall, but context-dependent. CVSS 5.5 (AV:L) understates exposure in shared ML platforms where many users share the same compute environment. Exploitability is trivial — no ML expertise required, just crafted input. Impact is limited to availability (no code execution, no data exfiltration). Organizations running multi-tenant training infrastructure or model-serving endpoints built on TF should prioritize patching. Standalone single-user workstations are low priority.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 5d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 9% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.5.0 or apply backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify with pip show tensorflow.

  2. DETECT

    Grep codebases and model serving configs for tf.raw_ops.StringNGrams or StringNGrams usage to assess blast radius.

  3. ISOLATE

    Restrict access to shared ML compute environments; enforce least-privilege on notebook servers.

  4. MONITOR

    Add crash/exit-code monitoring on TF serving processes and training jobs to detect exploitation attempts.

  5. WORKAROUND (if patching is not immediately possible): Validate data_splits argument is non-empty and produces positive output size before invoking StringNGrams op.

How is it classified?

DoS Framework AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2 - AI risk management processes A.9.1 - Monitoring and measurement of AI system performance
NIST AI RMF
GOVERN-1.7 - Processes for identifying and managing AI risks MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems

Frequently Asked Questions

What is CVE-2021-29541?

A low-privilege local attacker can crash the TensorFlow runtime by passing crafted input to the StringNGrams op, causing a null pointer dereference and denying service to any pipeline relying on it. In shared ML environments (JupyterHub, SageMaker, Vertex AI notebooks), 'local' is effectively any authenticated user. Patch immediately to TF 2.5.0+ or apply the backport for your branch (2.4.2, 2.3.3, 2.2.3, or 2.1.4).

Is CVE-2021-29541 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29541, increasing the risk of exploitation.

How to fix CVE-2021-29541?

1. PATCH: Upgrade to TensorFlow 2.5.0 or apply backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify with `pip show tensorflow`. 2. DETECT: Grep codebases and model serving configs for `tf.raw_ops.StringNGrams` or `StringNGrams` usage to assess blast radius. 3. ISOLATE: Restrict access to shared ML compute environments; enforce least-privilege on notebook servers. 4. MONITOR: Add crash/exit-code monitoring on TF serving processes and training jobs to detect exploitation attempts. 5. WORKAROUND (if patching is not immediately possible): Validate `data_splits` argument is non-empty and produces positive output size before invoking StringNGrams op.

What systems are affected by CVE-2021-29541?

This vulnerability affects the following AI/ML architecture patterns: NLP training pipelines, text preprocessing pipelines, model serving (TF Serving), shared ML compute environments.

What is the CVSS score for CVE-2021-29541?

CVE-2021-29541 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

NLP training pipelinestext preprocessing pipelinesmodel serving (TF Serving)shared ML compute environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2, A.9.1
NIST AI RMF: GOVERN-1.7, MANAGE-2.2

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null pointer in `tf.raw_ops.StringNGrams`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L67-L74) does not fully validate the `data_splits` argument. This would result in `ngrams_data`(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L106-L110) to be a null pointer when the output would be computed to have 0 or negative size. Later writes to the output tensor would then cause a null pointer dereference. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared JupyterHub or ML platform submits a notebook or training job that calls `tf.raw_ops.StringNGrams` with a crafted `data_splits` tensor designed to produce zero or negative output size. This triggers a null pointer dereference in the kernel, crashing the TensorFlow runtime process. In a multi-tenant training cluster, this disrupts other users' jobs sharing the same runtime. In an NLP inference endpoint, it causes a service outage for all requests routed to that instance. The attack requires no ML knowledge — only awareness of the vulnerable API signature, which is publicly documented.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference Primary CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed