AI Threat Alert

CVE-2021-29546: TensorFlow: div-by-zero in QuantizedBiasAdd, C/I/A high

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

Any TensorFlow deployment running quantized models on versions prior to 2.5.0 (or the backport series) is vulnerable to a divide-by-zero in QuantizedBiasAdd that yields undefined behavior with full C/I/A impact. While the CVSS vector is local, in containerized ML inference environments 'local' effectively maps to network-reachable: an attacker supplying a crafted model or crafted input tensor shapes can trigger this from an API endpoint. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — no workaround exists beyond upgrade.

What is the risk?

High risk for organizations running quantized TensorFlow models in any production inference context. CVSS 7.8 with low attack complexity and no user interaction required means exploitation is straightforward once access is established. The local attack vector is misleading in cloud-native and containerized deployments where ML serving APIs are network-accessible, effectively elevating the practical exposure surface. The full C:H/I:H/A:H impact means a successful exploit can result in process crash, memory corruption, or potential code execution depending on platform and allocator behavior.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade TensorFlow to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — all contain the fix (commit 67784700).

  2. INVENTORY

    Identify all services running TF inference, including embedded TFLite and TF Serving containers.

  3. ISOLATE

    Until patched, restrict model loading to internally-signed models; reject untrusted SavedModel or frozen graph uploads.

  4. SANDBOX

    Run TF inference workers in isolated containers with seccomp/AppArmor profiles to contain crash blast radius.

  5. DETECT

    Alert on unexpected inference worker crashes or restarts — they may indicate exploitation attempts.

  6. VALIDATE

    For CI/CD pipelines, enforce model provenance checks before promotion to production serving.

How is it classified?

Code Execution DoS Supply Chain Framework Inference AML.T0010.001 AML.T0011.000 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity for high-risk AI systems
ISO 42001
A.10.1 - AI system security — vulnerability management
NIST AI RMF
MANAGE-2.2 - Risks from third-party AI components are tracked and addressed
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29546?

Any TensorFlow deployment running quantized models on versions prior to 2.5.0 (or the backport series) is vulnerable to a divide-by-zero in QuantizedBiasAdd that yields undefined behavior with full C/I/A impact. While the CVSS vector is local, in containerized ML inference environments 'local' effectively maps to network-reachable: an attacker supplying a crafted model or crafted input tensor shapes can trigger this from an API endpoint. Patch immediately to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — no workaround exists beyond upgrade.

Is CVE-2021-29546 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29546, increasing the risk of exploitation.

How to fix CVE-2021-29546?

1. PATCH: Upgrade TensorFlow to 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 — all contain the fix (commit 67784700). 2. INVENTORY: Identify all services running TF inference, including embedded TFLite and TF Serving containers. 3. ISOLATE: Until patched, restrict model loading to internally-signed models; reject untrusted SavedModel or frozen graph uploads. 4. SANDBOX: Run TF inference workers in isolated containers with seccomp/AppArmor profiles to contain crash blast radius. 5. DETECT: Alert on unexpected inference worker crashes or restarts — they may indicate exploitation attempts. 6. VALIDATE: For CI/CD pipelines, enforce model provenance checks before promotion to production serving.

What systems are affected by CVE-2021-29546?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, edge inference.

What is the CVSS score for CVE-2021-29546?

CVE-2021-29546 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesedge inference

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.10.1
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger an integer division by zero undefined behavior in `tf.raw_ops.QuantizedBiasAdd`. This is because the implementation of the Eigen kernel(https://github.com/tensorflow/tensorflow/blob/61bca8bd5ba8a68b2d97435ddfafcdf2b85672cd/tensorflow/core/kernels/quantization_utils.h#L812-L849) does a division by the number of elements of the smaller input (based on shape) without checking that this is not zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an organization's ML inference API identifies that the endpoint accepts external model uploads (common in MLaaS and internal ML platforms). The adversary crafts a TensorFlow SavedModel containing a QuantizedBiasAdd operation with a bias tensor explicitly shaped to zero elements. On model load and first inference call, the Eigen kernel attempts to divide by the number of elements of the bias tensor, triggering an integer division by zero. On Linux x86, this raises SIGFPE; combined with the undefined behavior at C++ level, the outcome ranges from process termination (DoS of the inference service) to, depending on compiler and runtime, potential memory corruption exploitable for code execution within the serving container.

Weaknesses (CWE)

CWE-369 Divide By Zero

CWE-369 — Divide By Zero: The product divides a value by zero.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed