CVE-2021-29553: TensorFlow heap OOB read

CISO Take

A low-privilege local attacker can trigger an out-of-bounds heap read in TensorFlow's QuantizeAndDequantizeV3 operator by supplying a crafted axis value, leaking memory contents or crashing the process. Any environment where untrusted users can submit TensorFlow ops — shared Jupyter servers, ML pipelines accepting user-defined graphs, or model-serving endpoints — is exposed. Patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 immediately and restrict who can execute raw ops.

What is the risk?

CVSS 7.1 HIGH with local attack vector and low privilege/complexity requirements makes this credible in multi-tenant ML environments. Exploitation is straightforward: no authentication bypass needed, no user interaction required. Real risk concentrates in shared Jupyter/Colab infrastructure, CI/CD training pipelines, and any TF model-serving endpoint that accepts operator inputs. Not in CISA KEV and no active exploitation reported, but the low complexity bar means any insider or compromised adjacent system could weaponize this reliably.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I None

A High

What should I do?

5 steps

PATCH

Upgrade to TensorFlow 2.5.0 or backport releases (2.4.2, 2.3.3, 2.2.3, 2.1.4). Commit 99085e8 is the canonical fix.
WORKAROUND

If patching is blocked, validate the axis attribute server-side before passing to tf.raw_ops.QuantizeAndDequantizeV3 — ensure axis is within [-rank(input), rank(input)).
ISOLATE

Do not expose raw TF op execution to untrusted inputs. Use sandboxed execution (containers with seccomp) for user-submitted graphs.
DETECT

Monitor for crash/SIGABRT in TF worker processes as a signal of exploitation attempts. Enable heap hardening (ASAN in dev, guard pages in prod).
AUDIT

Inventory all services accepting external TF SavedModels or graphs — these are the widest attack surface for this class of vuln.

How is it classified?

Data Extraction DoS Code Execution Framework Inference AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system technical robustness and security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk management actions

OWASP LLM Top 10

LLM05:2023 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29553?

A low-privilege local attacker can trigger an out-of-bounds heap read in TensorFlow's QuantizeAndDequantizeV3 operator by supplying a crafted axis value, leaking memory contents or crashing the process. Any environment where untrusted users can submit TensorFlow ops — shared Jupyter servers, ML pipelines accepting user-defined graphs, or model-serving endpoints — is exposed. Patch to TF 2.5.0, 2.4.2, 2.3.3, 2.2.3, or 2.1.4 immediately and restrict who can execute raw ops.

Is CVE-2021-29553 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29553, increasing the risk of exploitation.

How to fix CVE-2021-29553?

1. PATCH: Upgrade to TensorFlow 2.5.0 or backport releases (2.4.2, 2.3.3, 2.2.3, 2.1.4). Commit 99085e8 is the canonical fix. 2. WORKAROUND: If patching is blocked, validate the axis attribute server-side before passing to tf.raw_ops.QuantizeAndDequantizeV3 — ensure axis is within [-rank(input), rank(input)). 3. ISOLATE: Do not expose raw TF op execution to untrusted inputs. Use sandboxed execution (containers with seccomp) for user-submitted graphs. 4. DETECT: Monitor for crash/SIGABRT in TF worker processes as a signal of exploitation attempts. Enable heap hardening (ASAN in dev, guard pages in prod). 5. AUDIT: Inventory all services accepting external TF SavedModels or graphs — these are the widest attack surface for this class of vuln.

What systems are affected by CVE-2021-29553?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model optimization, shared ML notebooks.

What is the CVSS score for CVE-2021-29553?

CVE-2021-29553 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingmodel optimizationshared ML notebooks

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2023

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. An attacker can read data outside of bounds of heap allocated buffer in `tf.raw_ops.QuantizeAndDequantizeV3`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/11ff7f80667e6490d7b5174aa6bf5e01886e770f/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L237) does not validate the value of user supplied `axis` attribute before using it to index in the array backing the `input` argument. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary with low-privilege access to a shared ML platform (e.g., a data scientist account on a Jupyter Hub, or a user of an internal model-conversion service) crafts a TensorFlow graph that calls tf.raw_ops.QuantizeAndDequantizeV3 with an out-of-range axis value (e.g., axis=9999 on a 2D tensor). When the graph executes, TF reads beyond the allocated heap buffer — either exposing adjacent memory contents (model weights, cached training embeddings, or process secrets) via error messages or side-channel timing, or crashing the serving process. In a model quantization API endpoint, this could be triggered remotely if the service accepts user-supplied SavedModels for conversion.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.