CVE-2021-29541 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A low-privilege local attacker can crash the TensorFlow runtime by passing crafted input to the StringNGrams op, causing a null pointer dereference and denying service to any pipeline relying on it. In shared ML environments (JupyterHub, SageMaker, Vertex AI notebooks), 'local' is effectively any authenticated user. Patch immediately to TF 2.5.0+ or apply the backport for your branch (2.4.2, 2.3.3, 2.2.3, or 2.1.4).

Risk Assessment

Medium risk overall, but context-dependent. CVSS 5.5 (AV:L) understates exposure in shared ML platforms where many users share the same compute environment. Exploitability is trivial — no ML expertise required, just crafted input. Impact is limited to availability (no code execution, no data exfiltration). Organizations running multi-tenant training infrastructure or model-serving endpoints built on TF should prioritize patching. Standalone single-user workstations are low priority.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.5.0 or apply backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify with pip show tensorflow.
DETECT

Grep codebases and model serving configs for tf.raw_ops.StringNGrams or StringNGrams usage to assess blast radius.
ISOLATE

Restrict access to shared ML compute environments; enforce least-privilege on notebook servers.
MONITOR

Add crash/exit-code monitoring on TF serving processes and training jobs to detect exploitation attempts.
WORKAROUND (if patching is not immediately possible): Validate data_splits argument is non-empty and produces positive output size before invoking StringNGrams op.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - AI risk management processes A.9.1 - Monitoring and measurement of AI system performance

NIST AI RMF

GOVERN-1.7 - Processes for identifying and managing AI risks MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems

Frequently Asked Questions

What is CVE-2021-29541?

A low-privilege local attacker can crash the TensorFlow runtime by passing crafted input to the StringNGrams op, causing a null pointer dereference and denying service to any pipeline relying on it. In shared ML environments (JupyterHub, SageMaker, Vertex AI notebooks), 'local' is effectively any authenticated user. Patch immediately to TF 2.5.0+ or apply the backport for your branch (2.4.2, 2.3.3, 2.2.3, or 2.1.4).

Is CVE-2021-29541 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29541, increasing the risk of exploitation.

How to fix CVE-2021-29541?

1. PATCH: Upgrade to TensorFlow 2.5.0 or apply backports: 2.4.2, 2.3.3, 2.2.3, 2.1.4. Verify with `pip show tensorflow`. 2. DETECT: Grep codebases and model serving configs for `tf.raw_ops.StringNGrams` or `StringNGrams` usage to assess blast radius. 3. ISOLATE: Restrict access to shared ML compute environments; enforce least-privilege on notebook servers. 4. MONITOR: Add crash/exit-code monitoring on TF serving processes and training jobs to detect exploitation attempts. 5. WORKAROUND (if patching is not immediately possible): Validate `data_splits` argument is non-empty and produces positive output size before invoking StringNGrams op.

What systems are affected by CVE-2021-29541?

This vulnerability affects the following AI/ML architecture patterns: NLP training pipelines, text preprocessing pipelines, model serving (TF Serving), shared ML compute environments.

What is the CVSS score for CVE-2021-29541?

CVE-2021-29541 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null pointer in `tf.raw_ops.StringNGrams`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L67-L74) does not fully validate the `data_splits` argument. This would result in `ngrams_data`(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L106-L110) to be a null pointer when the output would be computed to have 0 or negative size. Later writes to the output tensor would then cause a null pointer dereference. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared JupyterHub or ML platform submits a notebook or training job that calls `tf.raw_ops.StringNGrams` with a crafted `data_splits` tensor designed to produce zero or negative output size. This triggers a null pointer dereference in the kernel, crashing the TensorFlow runtime process. In a multi-tenant training cluster, this disrupts other users' jobs sharing the same runtime. In an NLP inference endpoint, it causes a service outage for all requests routed to that instance. The attack requires no ML knowledge — only awareness of the vulnerable API signature, which is publicly documented.