CVE-2021-29558 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Patch all TensorFlow installations in the 2.1.x–2.4.x range immediately — fixed in 2.5.0 and backported to 2.4.2, 2.3.3, 2.2.3, and 2.1.4. The local attack vector is misleading: shared Jupyter/notebook clusters and MLOps platforms where users can invoke raw ops effectively make this remotely exploitable by any platform user. Prioritize patching in multi-tenant training infrastructure and any serving environment that accepts user-defined TensorFlow graphs.

Risk Assessment

CVSS 7.8 with a local attack vector understates real-world risk in typical AI/ML environments. Low attack complexity and no user interaction required mean exploitation is straightforward for anyone with notebook or platform access. Enterprise JupyterHub clusters, hosted ML training platforms, and model-serving infrastructure that proxies user-controlled TF operations elevate this to near-critical. The SparseSplit op is common in NLP and recommendation system pipelines, broadening the attack surface across production workloads.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.5.0 or apply cherrypicks: 2.4.2, 2.3.3, 2.2.3, 2.1.4.
AUDIT

Inventory all TensorFlow installations across training clusters, serving infrastructure, notebook environments, and CI/CD pipelines.
RESTRICT

Disable or sandbox tf.raw_ops access in multi-tenant platforms; do not allow user-controlled operation parameters in production serving.
ISOLATE

Run TensorFlow workloads in per-tenant containers or VMs to limit blast radius from exploitation.
DETECT

Monitor TF worker processes for anomalous crashes or heap corruption signals that may indicate active exploitation attempts.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0016.001 - Software Tools AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

ISO 42001

A.6.2 - AI system security

NIST AI RMF

GOVERN-6.1 - Policies for third-party AI risk MANAGE-2.2 - Risks from third-party entities

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29558?

Patch all TensorFlow installations in the 2.1.x–2.4.x range immediately — fixed in 2.5.0 and backported to 2.4.2, 2.3.3, 2.2.3, and 2.1.4. The local attack vector is misleading: shared Jupyter/notebook clusters and MLOps platforms where users can invoke raw ops effectively make this remotely exploitable by any platform user. Prioritize patching in multi-tenant training infrastructure and any serving environment that accepts user-defined TensorFlow graphs.

Is CVE-2021-29558 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29558, increasing the risk of exploitation.

How to fix CVE-2021-29558?

1. PATCH: Upgrade TensorFlow to 2.5.0 or apply cherrypicks: 2.4.2, 2.3.3, 2.2.3, 2.1.4. 2. AUDIT: Inventory all TensorFlow installations across training clusters, serving infrastructure, notebook environments, and CI/CD pipelines. 3. RESTRICT: Disable or sandbox tf.raw_ops access in multi-tenant platforms; do not allow user-controlled operation parameters in production serving. 4. ISOLATE: Run TensorFlow workloads in per-tenant containers or VMs to limit blast radius from exploitation. 5. DETECT: Monitor TF worker processes for anomalous crashes or heap corruption signals that may indicate active exploitation attempts.

What systems are affected by CVE-2021-29558?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, notebook environments, MLOps platforms.

What is the CVSS score for CVE-2021-29558?

CVE-2021-29558 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `tf.raw_ops.SparseSplit`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/699bff5d961f0abfde8fa3f876e6d241681fbef8/tensorflow/core/util/sparse/sparse_tensor.h#L528-L530) accesses an array element based on a user controlled offset. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privileged access to a shared ML platform (e.g., enterprise JupyterHub or a hosted notebook service) submits a crafted TensorFlow computation graph calling tf.raw_ops.SparseSplit with a malicious user-controlled offset value. This triggers an out-of-bounds write in the C++ sparse tensor implementation, corrupting adjacent heap memory. If the TF worker runs with elevated permissions — common in training infrastructure — this can lead to privilege escalation or arbitrary code execution within the worker process, potentially compromising the training environment, model artifacts, or underlying host.