CVE-2021-29552 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A local attacker with ability to submit TensorFlow operations can crash the TF process by passing an empty tensor to UnsortedSegmentJoin, triggering a failed assertion. Upgrade to TensorFlow 2.5.0 or the respective backport (2.4.2, 2.3.3, 2.2.3, 2.1.4) immediately if running shared or multi-tenant ML infrastructure. Production serving behind an inference API is not directly exposed unless arbitrary op execution is permitted.

Risk Assessment

Medium. CVSS 5.5 reflects a local attack vector and low-privileges requirement, meaning the attacker must already have code execution or op-submission access on the host. Risk elevates significantly in multi-tenant environments — shared Jupyter hubs, AI sandboxes, or model serving platforms that allow user-submitted computation graphs are the realistic exposure surface. No evidence of active exploitation or weaponized PoC in the wild; patch is available and straightforward.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow ≥2.5.0, or cherry-pick to 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4 as appropriate. Commit 704866eabe03a9aeda044ec91a8d0c83fc1ebdbe.
VALIDATE INPUTS

Add shape validation for num_segments tensors at inference/serving boundaries — reject empty or zero-element tensors before they reach TF ops.
ISOLATE

Run TF workers in isolated processes or containers so a crash does not cascade to the broader serving infrastructure.
DETECT

Monitor for abnormal TF process exits or assertion failure logs (SIGABRT / CHECK failures in TF logs).
MULTI-TENANT HARDENING: In shared notebook environments, restrict or sandbox TF op execution to prevent malicious op graph submission.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.10.1 - AI System Availability and Resilience

NIST AI RMF

RMF-RE-1.1 - Reliability and Availability — Measure

Frequently Asked Questions

What is CVE-2021-29552?

A local attacker with ability to submit TensorFlow operations can crash the TF process by passing an empty tensor to UnsortedSegmentJoin, triggering a failed assertion. Upgrade to TensorFlow 2.5.0 or the respective backport (2.4.2, 2.3.3, 2.2.3, 2.1.4) immediately if running shared or multi-tenant ML infrastructure. Production serving behind an inference API is not directly exposed unless arbitrary op execution is permitted.

Is CVE-2021-29552 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29552, increasing the risk of exploitation.

How to fix CVE-2021-29552?

1. PATCH: Upgrade to TensorFlow ≥2.5.0, or cherry-pick to 2.4.2 / 2.3.3 / 2.2.3 / 2.1.4 as appropriate. Commit 704866eabe03a9aeda044ec91a8d0c83fc1ebdbe. 2. VALIDATE INPUTS: Add shape validation for num_segments tensors at inference/serving boundaries — reject empty or zero-element tensors before they reach TF ops. 3. ISOLATE: Run TF workers in isolated processes or containers so a crash does not cascade to the broader serving infrastructure. 4. DETECT: Monitor for abnormal TF process exits or assertion failure logs (SIGABRT / CHECK failures in TF logs). 5. MULTI-TENANT HARDENING: In shared notebook environments, restrict or sandbox TF op execution to prevent malicious op graph submission.

What systems are affected by CVE-2021-29552?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, shared ML platforms.

What is the CVSS score for CVE-2021-29552?

CVE-2021-29552 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by controlling the values of `num_segments` tensor argument for `UnsortedSegmentJoin`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a2a607db15c7cd01d754d37e5448d72a13491bdb/tensorflow/core/kernels/unsorted_segment_join_op.cc#L92-L93) assumes that the `num_segments` tensor is a valid scalar. Since the tensor is empty the `CHECK` involved in `.scalar<T>()()` that checks that the number of elements is exactly 1 will be invalidated and this would result in process termination. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with access to a shared ML platform (e.g., a data science Jupyter environment or a model serving endpoint that accepts custom TF computation graphs) crafts a request that invokes UnsortedSegmentJoin with num_segments set to an empty tensor (shape=[0]). The TF runtime's .scalar<T>()() call checks for exactly one element, fails the internal CHECK assertion, and terminates the TF process via SIGABRT. In a shared environment, this crashes the worker serving all tenants. In a hostile insider scenario, a malicious ML engineer could embed this op into a training job to repeatedly crash infrastructure during a critical model deployment window.