CVE-2021-29542: TensorFlow StringNGrams heap

CISO Take

A heap buffer overflow in TensorFlow's StringNGrams op can crash any process executing crafted text preprocessing graphs—the impact is limited to availability (no data exfiltration). Patch to TF 2.5.0 / 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4; risk is elevated in shared Jupyter or multi-tenant training environments where untrusted graphs can be submitted. Not a breaking-alert priority unless your org runs unpatched TF on exposed NLP inference endpoints.

What is the risk?

Medium operational risk. CVSS AV:L constrains exploitability to actors with local execution access—direct remote exploitation is not possible. However, in shared ML platforms (JupyterHub, SageMaker multi-tenant, KubeFlow), 'local' effectively means any authenticated user. The CWE-787 (Out-of-Bounds Write) classification leaves open the theoretical possibility of code execution beyond pure DoS, even though CVSS scores only A:H. No public exploitation evidence and no CISA KEV listing keep this firmly in the patch-and-monitor category.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

PATCH

Upgrade to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (cherry-picked fix).
WORKAROUND

If patching is not immediately feasible, sanitize StringNGrams inputs server-side to reject configurations where num_tokens would evaluate to 0 (e.g., enforce minimum token counts before invoking the op).
ISOLATE

Run TF inference workers as unprivileged processes in containers; limit blast radius of a crash to a single replica.
DETECT

Monitor for unexpected process crashes or OOM kills in ML serving pods—heap corruption often manifests as SIGABRT/SIGSEGV; alert on abnormal crash rates in TF Serving deployments.
AUDIT

Inventory all TF versions across training and serving infrastructure using pip show tensorflow or equivalent in container images.

How is it classified?

DoS Code Execution Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.3 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain AI risk management

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29542?

A heap buffer overflow in TensorFlow's StringNGrams op can crash any process executing crafted text preprocessing graphs—the impact is limited to availability (no data exfiltration). Patch to TF 2.5.0 / 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4; risk is elevated in shared Jupyter or multi-tenant training environments where untrusted graphs can be submitted. Not a breaking-alert priority unless your org runs unpatched TF on exposed NLP inference endpoints.

Is CVE-2021-29542 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29542, increasing the risk of exploitation.

How to fix CVE-2021-29542?

1. PATCH: Upgrade to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 (cherry-picked fix). 2. WORKAROUND: If patching is not immediately feasible, sanitize StringNGrams inputs server-side to reject configurations where num_tokens would evaluate to 0 (e.g., enforce minimum token counts before invoking the op). 3. ISOLATE: Run TF inference workers as unprivileged processes in containers; limit blast radius of a crash to a single replica. 4. DETECT: Monitor for unexpected process crashes or OOM kills in ML serving pods—heap corruption often manifests as SIGABRT/SIGSEGV; alert on abnormal crash rates in TF Serving deployments. 5. AUDIT: Inventory all TF versions across training and serving infrastructure using `pip show tensorflow` or equivalent in container images.

What systems are affected by CVE-2021-29542?

This vulnerability affects the following AI/ML architecture patterns: NLP training pipelines, text preprocessing pipelines, model serving (TF Serving with text models), shared ML platforms / multi-tenant notebooks.

What is the CVSS score for CVE-2021-29542?

CVE-2021-29542 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

NLP training pipelinestext preprocessing pipelinesmodel serving (TF Serving with text models)shared ML platforms / multi-tenant notebooks

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0043 Craft Adversarial Data

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.8.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow by passing crafted inputs to `tf.raw_ops.StringNGrams`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L171-L185) fails to consider corner cases where input would be split in such a way that the generated tokens should only contain padding elements. If input is such that `num_tokens` is 0, then, for `data_start_index=0` (when left padding is present), the marked line would result in reading `data[-1]`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML training environment (e.g., a multi-tenant JupyterHub or a KubeFlow pipeline that accepts user-submitted TF graphs) crafts a TensorFlow computation graph that calls tf.raw_ops.StringNGrams with inputs engineered to produce num_tokens=0 when left padding is applied. When the graph executes, the kernel reads data[-1]—an out-of-bounds memory access—triggering a heap buffer overflow that crashes the Python or TF Serving process. In a shared environment, this disrupts other tenants' training jobs. On a production inference endpoint, it causes repeated service crashes, resulting in degraded availability or a sustained DoS against the NLP inference tier.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-131 Incorrect Calculation of Buffer Size

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.