AI Threat Alert AI Threat Alert

CVE-2021-29547: TensorFlow: OOB read DoS via empty tensor in QuantizedBatchNorm

MEDIUM PoC AVAILABLE
Published May 14, 2021
CISO Take

This is a local denial-of-service vulnerability in TensorFlow's quantized batch normalization operation affecting all versions prior to 2.5.0 (backports available to 2.1.4). Patch immediately if running quantized TensorFlow models in shared or multi-tenant environments such as Jupyter hubs, ML platforms, or model serving infrastructure. Exploitability is limited to local/low-privilege access, so priority should be proportional to your exposure surface.

Risk Assessment

Practical risk is low-to-medium. The CVSS local attack vector (AV:L) significantly constrains real-world exploitability — an attacker needs local access or the ability to submit crafted inputs to a TF execution environment. Impact is purely availability (A:H), with no confidentiality or integrity loss. Risk escalates in multi-tenant ML platforms (shared Jupyter, Vertex AI Workbench, SageMaker Studio) where co-tenants could intentionally crash shared TF processes. Not in CISA KEV; no active exploitation observed.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
5.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.5.0, or cherrypick backports to 2.4.2, 2.3.3, 2.2.3, or 2.1.4.

  2. INPUT VALIDATION

    Add pre-flight checks asserting non-empty shape on all tensor inputs before calling quantized ops — enforce tf.debugging.assert_positive(tf.size(tensor)) at pipeline ingress.

  3. ISOLATION

    Run model serving and training workers in separate processes/containers per user in multi-tenant environments; a crash should not propagate across tenants.

  4. DETECTION

    Monitor for unexpected TensorFlow process crashes (segfaults in logs) on inference or training infrastructure; repeated crashes may indicate probe attempts.

  5. DEPENDENCY AUDIT

    Scan your ML dependency tree for pinned TF versions below 2.1.4; update lock files accordingly.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system operation
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain the value of deployed AI are evaluated and in place

Frequently Asked Questions

What is CVE-2021-29547?

This is a local denial-of-service vulnerability in TensorFlow's quantized batch normalization operation affecting all versions prior to 2.5.0 (backports available to 2.1.4). Patch immediately if running quantized TensorFlow models in shared or multi-tenant environments such as Jupyter hubs, ML platforms, or model serving infrastructure. Exploitability is limited to local/low-privilege access, so priority should be proportional to your exposure surface.

Is CVE-2021-29547 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29547, increasing the risk of exploitation.

How to fix CVE-2021-29547?

1. PATCH: Upgrade to TensorFlow 2.5.0, or cherrypick backports to 2.4.2, 2.3.3, 2.2.3, or 2.1.4. 2. INPUT VALIDATION: Add pre-flight checks asserting non-empty shape on all tensor inputs before calling quantized ops — enforce `tf.debugging.assert_positive(tf.size(tensor))` at pipeline ingress. 3. ISOLATION: Run model serving and training workers in separate processes/containers per user in multi-tenant environments; a crash should not propagate across tenants. 4. DETECTION: Monitor for unexpected TensorFlow process crashes (segfaults in logs) on inference or training infrastructure; repeated crashes may indicate probe attempts. 5. DEPENDENCY AUDIT: Scan your ML dependency tree for pinned TF versions below 2.1.4; update lock files accordingly.

What systems are affected by CVE-2021-29547?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, quantized/edge inference, multi-tenant ML platforms.

What is the CVSS score for CVE-2021-29547?

CVE-2021-29547 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a segfault and denial of service via accessing data outside of bounds in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc#L176-L189) assumes the inputs are not empty. If any of these inputs is empty, `.flat<T>()` is an empty buffer, so accessing the element at index 0 is accessing data outside of bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with access to a shared ML notebook environment (e.g., a co-tenant on a Jupyter Hub or a researcher submitting a job to a shared GPU cluster) submits a TensorFlow script that calls `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization` with one or more empty tensors (e.g., `tf.constant([], dtype=tf.quint8)`). The unpatched implementation proceeds without checking tensor size, accesses index 0 of an empty buffer, triggers a segfault, and crashes the TensorFlow worker process. In a model-serving context, an adversary submitting crafted inference requests to an endpoint backed by an unpatched TF runtime achieves the same effect, taking down the serving pod.

Weaknesses (CWE)

CWE-125

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed