AI Threat Alert AI Threat Alert

CVE-2021-29553: TensorFlow: heap OOB read via malicious axis in quant op

HIGH PoC AVAILABLE
Published May 14, 2021
CISO Take

A low-privilege local attacker can trigger an out-of-bounds heap read in TensorFlow's QuantizeAndDequantizeV3 operator by supplying a crafted axis value, leaking memory contents or crashing the process. Any environment where untrusted users can submit TensorFlow ops — shared Jupyter servers, ML pipelines accepting user-defined graphs, or model-serving endpoints — is exposed. Patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 immediately and restrict who can execute raw ops.

Risk Assessment

CVSS 7.1 HIGH with local attack vector and low privilege/complexity requirements makes this credible in multi-tenant ML environments. Exploitation is straightforward: no authentication bypass needed, no user interaction required. Real risk concentrates in shared Jupyter/Colab infrastructure, CI/CD training pipelines, and any TF model-serving endpoint that accepts operator inputs. Not in CISA KEV and no active exploitation reported, but the low complexity bar means any insider or compromised adjacent system could weaponize this reliably.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.1 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I None
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.5.0 or backport releases (2.4.2, 2.3.3, 2.2.3, 2.1.4). Commit 99085e8 is the canonical fix.

  2. WORKAROUND

    If patching is blocked, validate the axis attribute server-side before passing to tf.raw_ops.QuantizeAndDequantizeV3 — ensure axis is within [-rank(input), rank(input)).

  3. ISOLATE

    Do not expose raw TF op execution to untrusted inputs. Use sandboxed execution (containers with seccomp) for user-submitted graphs.

  4. DETECT

    Monitor for crash/SIGABRT in TF worker processes as a signal of exploitation attempts. Enable heap hardening (ASAN in dev, guard pages in prod).

  5. AUDIT

    Inventory all services accepting external TF SavedModels or graphs — these are the widest attack surface for this class of vuln.

Classification

Data Extraction DoS Code Execution Framework Inference AML.T0010.001 AML.T0025 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system technical robustness and security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI risk management actions
OWASP LLM Top 10
LLM05:2023 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29553?

A low-privilege local attacker can trigger an out-of-bounds heap read in TensorFlow's QuantizeAndDequantizeV3 operator by supplying a crafted axis value, leaking memory contents or crashing the process. Any environment where untrusted users can submit TensorFlow ops — shared Jupyter servers, ML pipelines accepting user-defined graphs, or model-serving endpoints — is exposed. Patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 immediately and restrict who can execute raw ops.

Is CVE-2021-29553 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29553, increasing the risk of exploitation.

How to fix CVE-2021-29553?

1. PATCH: Upgrade to TensorFlow 2.5.0 or backport releases (2.4.2, 2.3.3, 2.2.3, 2.1.4). Commit 99085e8 is the canonical fix. 2. WORKAROUND: If patching is blocked, validate the axis attribute server-side before passing to tf.raw_ops.QuantizeAndDequantizeV3 — ensure axis is within [-rank(input), rank(input)). 3. ISOLATE: Do not expose raw TF op execution to untrusted inputs. Use sandboxed execution (containers with seccomp) for user-submitted graphs. 4. DETECT: Monitor for crash/SIGABRT in TF worker processes as a signal of exploitation attempts. Enable heap hardening (ASAN in dev, guard pages in prod). 5. AUDIT: Inventory all services accepting external TF SavedModels or graphs — these are the widest attack surface for this class of vuln.

What systems are affected by CVE-2021-29553?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model optimization, shared ML notebooks.

What is the CVSS score for CVE-2021-29553?

CVE-2021-29553 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can read data outside of bounds of heap allocated buffer in `tf.raw_ops.QuantizeAndDequantizeV3`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/11ff7f80667e6490d7b5174aa6bf5e01886e770f/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L237) does not validate the value of user supplied `axis` attribute before using it to index in the array backing the `input` argument. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privilege access to a shared ML platform (e.g., a data scientist account on a Jupyter Hub, or a user of an internal model-conversion service) crafts a TensorFlow graph that calls tf.raw_ops.QuantizeAndDequantizeV3 with an out-of-range axis value (e.g., axis=9999 on a 2D tensor). When the graph executes, TF reads beyond the allocated heap buffer — either exposing adjacent memory contents (model weights, cached training embeddings, or process secrets) via error messages or side-channel timing, or crashing the serving process. In a model quantization API endpoint, this could be triggered remotely if the service accepts user-supplied SavedModels for conversion.

Weaknesses (CWE)

CWE-125

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

Timeline

Published
May 14, 2021
Last Modified
November 21, 2024
First Seen
May 14, 2021

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed