CVE-2021-29554 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

A crafted sparse tensor input can crash TensorFlow processes via integer divide-by-zero in the DenseCountSparseOutput kernel. If your ML pipelines or inference APIs accept user-supplied tensor data without input validation, patch to TF 2.5.0, 2.4.2, or 2.3.3 immediately. Impact is availability-only—no data exfiltration risk—but a crashed inference server means model downtime.

Risk Assessment

CVSS 5.5 (Medium) with local attack vector understates real-world risk for organizations exposing TensorFlow inference APIs. While technically local, any web-facing ML service that proxies raw TF ops to user input effectively promotes this to a network-exploitable DoS. Low complexity (no special skills needed) and low privilege requirement make it trivially weaponizable once access is obtained. Not in CISA KEV and no evidence of active exploitation, but the patch has been available since 2021—unpatched instances represent negligent exposure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

1 step

1) Upgrade TensorFlow to 2.5.0, 2.4.2, or 2.3.3 (patch commit da5ff2d). 2) If patching is blocked, add input validation before DenseCountSparseOutput calls: assert values tensor is non-empty and num_batch_elements > 0. 3) Run TF serving processes under a supervisor/watchdog that alerts on unexpected crashes—abnormal restart loops may indicate active exploitation attempts. 4) Audit all inference endpoints that accept raw tensor inputs from external callers; restrict or sanitize before passing to low-level TF ops. 5) If running containerized inference, ensure crash isolation so one pod failure does not cascade.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment A.9.7 - AI system availability and resilience

NIST AI RMF

MANAGE-2.2 - Risk treatments for AI incidents and near-misses MAP-5.1 - Likelihood and impact of AI risks

OWASP LLM Top 10

LLM09:2025 - Misinformation

Frequently Asked Questions

What is CVE-2021-29554?

A crafted sparse tensor input can crash TensorFlow processes via integer divide-by-zero in the DenseCountSparseOutput kernel. If your ML pipelines or inference APIs accept user-supplied tensor data without input validation, patch to TF 2.5.0, 2.4.2, or 2.3.3 immediately. Impact is availability-only—no data exfiltration risk—but a crashed inference server means model downtime.

Is CVE-2021-29554 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29554, increasing the risk of exploitation.

How to fix CVE-2021-29554?

1) Upgrade TensorFlow to 2.5.0, 2.4.2, or 2.3.3 (patch commit da5ff2d). 2) If patching is blocked, add input validation before DenseCountSparseOutput calls: assert values tensor is non-empty and num_batch_elements > 0. 3) Run TF serving processes under a supervisor/watchdog that alerts on unexpected crashes—abnormal restart loops may indicate active exploitation attempts. 4) Audit all inference endpoints that accept raw tensor inputs from external callers; restrict or sanitize before passing to low-level TF ops. 5) If running containerized inference, ensure crash isolation so one pod failure does not cascade.

What systems are affected by CVE-2021-29554?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, data processing pipelines, ML notebook environments.

What is the CVSS score for CVE-2021-29554?

CVE-2021-29554 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.DenseCountSparseOutput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efff014f3b2d8ef6141da30c806faf141297eca1/tensorflow/core/kernels/count_ops.cc#L123-L127) computes a divisor value from user data but does not check that the result is 0 before doing the division. Since `data` is given by the `values` argument, `num_batch_elements` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, and TensorFlow 2.3.3, as these are also affected.

Exploitation Scenario

An adversary with access to a TensorFlow inference API endpoint—or a shared ML notebook environment—submits a crafted payload where the 'values' argument to DenseCountSparseOutput contains zero elements, causing num_batch_elements to evaluate to zero. The kernel computes a divisor from this user-controlled value without a zero-check, triggering a Floating Point Exception (SIGFPE) that crashes the TF process. In a model-serving context, this knocks out the inference worker. If the API is publicly accessible (e.g., a REST endpoint wrapping tf.raw_ops), the attacker needs no authentication—just the ability to craft an HTTP request with a minimal malformed tensor payload. Repeated submissions cause persistent DoS.