CVE-2021-29558: TensorFlow heap buffer overflow

CISO Take

Patch all TensorFlow installations in the 2.1.x–2.4.x range immediately — fixed in 2.5.0 and backported to 2.4.2, 2.3.3, 2.2.3, and 2.1.4. The local attack vector is misleading: shared Jupyter/notebook clusters and MLOps platforms where users can invoke raw ops effectively make this remotely exploitable by any platform user. Prioritize patching in multi-tenant training infrastructure and any serving environment that accepts user-defined TensorFlow graphs.

What is the risk?

CVSS 7.8 with a local attack vector understates real-world risk in typical AI/ML environments. Low attack complexity and no user interaction required mean exploitation is straightforward for anyone with notebook or platform access. Enterprise JupyterHub clusters, hosted ML training platforms, and model-serving infrastructure that proxies user-controlled TF operations elevate this to near-critical. The SparseSplit op is common in NLP and recommendation system pipelines, broadening the attack surface across production workloads.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade TensorFlow to 2.5.0 or apply cherrypicks: 2.4.2, 2.3.3, 2.2.3, 2.1.4.
AUDIT

Inventory all TensorFlow installations across training clusters, serving infrastructure, notebook environments, and CI/CD pipelines.
RESTRICT

Disable or sandbox tf.raw_ops access in multi-tenant platforms; do not allow user-controlled operation parameters in production serving.
ISOLATE

Run TensorFlow workloads in per-tenant containers or VMs to limit blast radius from exploitation.
DETECT

Monitor TF worker processes for anomalous crashes or heap corruption signals that may indicate active exploitation attempts.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0016.001 - Software Tools AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

A.6.2 - AI system security

NIST AI RMF

GOVERN-6.1 - Policies for third-party AI risk MANAGE-2.2 - Risks from third-party entities

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-29558?

Patch all TensorFlow installations in the 2.1.x–2.4.x range immediately — fixed in 2.5.0 and backported to 2.4.2, 2.3.3, 2.2.3, and 2.1.4. The local attack vector is misleading: shared Jupyter/notebook clusters and MLOps platforms where users can invoke raw ops effectively make this remotely exploitable by any platform user. Prioritize patching in multi-tenant training infrastructure and any serving environment that accepts user-defined TensorFlow graphs.

Is CVE-2021-29558 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-29558, increasing the risk of exploitation.

How to fix CVE-2021-29558?

1. PATCH: Upgrade TensorFlow to 2.5.0 or apply cherrypicks: 2.4.2, 2.3.3, 2.2.3, 2.1.4. 2. AUDIT: Inventory all TensorFlow installations across training clusters, serving infrastructure, notebook environments, and CI/CD pipelines. 3. RESTRICT: Disable or sandbox tf.raw_ops access in multi-tenant platforms; do not allow user-controlled operation parameters in production serving. 4. ISOLATE: Run TensorFlow workloads in per-tenant containers or VMs to limit blast radius from exploitation. 5. DETECT: Monitor TF worker processes for anomalous crashes or heap corruption signals that may indicate active exploitation attempts.

What systems are affected by CVE-2021-29558?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, notebook environments, MLOps platforms.

What is the CVSS score for CVE-2021-29558?

CVE-2021-29558 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.21%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingnotebook environmentsMLOps platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0016.001 Software Tools

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

ISO 42001: A.6.2

NIST AI RMF: GOVERN-6.1, MANAGE-2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `tf.raw_ops.SparseSplit`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/699bff5d961f0abfde8fa3f876e6d241681fbef8/tensorflow/core/util/sparse/sparse_tensor.h#L528-L530) accesses an array element based on a user controlled offset. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with low-privileged access to a shared ML platform (e.g., enterprise JupyterHub or a hosted notebook service) submits a crafted TensorFlow computation graph calling tf.raw_ops.SparseSplit with a malicious user-controlled offset value. This triggers an out-of-bounds write in the C++ sparse tensor implementation, corrupting adjacent heap memory. If the TF worker runs with elevated permissions — common in training infrastructure — this can lead to privilege escalation or arbitrary code execution within the worker process, potentially compromising the training environment, model artifacts, or underlying host.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.